undefined | Better HN

0 pointsiraqmtpizza1y ago0 comments

The correct approach is keyed hashing e.g. HMAC/KMAC for something like that, or...?

0 comments

Yes but if the algorithm and salt gets to be known then there are very few possibilities (10^n where n is max length of passcode) and unless people are setting 50 digit passcodes, then it is very crackable.

iraqmtpizzaOP1y ago

It's crackable by those that have the secret key i.e. AT&T and whoever they leak their key to. But presumably it's harder to steal a secret key and a database entry than it is to steal just a database entry.

The salt just obscures whether two users have the same code

j / k navigate · click thread line to collapse

0 comments

illusive40801y ago

iraqmtpizzaOP1y ago

The salt just obscures whether two users have the same code

j / k navigate · click thread line to collapse