← Back to context

Comment by kentonv

6 days ago

Learning a prefix of the hash doesn't really get you anywhere. The hash itself isn't a secret -- it could be published publicly without breaking the security model. You still need to derive a token that hashes to that value in full, and if you can do that then you've broken the hash algorithm by definition.

2 comments

kentonv

Reply
ZiiS  2 days ago

Say I got a memory dump from the client system. I don't know what is what but the secret is in their somewhere.

Filtering it down by the hash prefix locally is much leas likly to be detected then spamming the servers.

ZiiS  6 days ago

Yes I guess if you trust the hash implementation completly; I just favour a bit more defence in depth.