Comment by always_good
7 years ago
When you can trivially crawl the input space like ipv4 addresses, you'd have to expire a fresh per-day salt as well.
But to my eyes, expiring salts isn't much different than deleting ip addresses after one day. Just more machinery. People have to trust that you're doing either, so why bother beyond being able to use the word "hashing" in marketing language?
You'd at least want per record salts. But even then it's trivial to check if a given ip is in the dataset. Better, but not great. (ie: you have access to the dataset, you want to check if a given ip/time match the log - read the salt, check the hash).
But per record hashes break the original use case: checking if a given hash is already in the database.