That would prevent using a pre-generated lookup table but doesn't help much with... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		giaour on March 31, 2022 \| parent \| context \| favorite \| on: I'm a scam prevention expert and I got scammed That would prevent using a pre-generated lookup table but doesn't help much with brute force attacks. All possible card numbers is a finite set, and if you have the sha256(card number + salt), you can figure out which card number was used as input given the improbability of sha256 collisions within that set. Keep in mind this in the context of an account holder asking the bank to authenticate themselves on a phone call using data only the bank and the account holder should know. sha256(card number) was an example of something that is obviously inappropriate, and I don't think sha256(card number + salt) is any different qualitatively.

hunter2_ on April 1, 2022 [–]

Not to mention, how many bits of salt can you transmit by voice in this context without this turning into a whole song and dance?

> That would prevent using a pre-generated lookup table

Only for a healthy pinch of salt, not a couple grains, right?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact