Hacker News new | ask | show | jobs
by VStrike 1873 days ago
There are so few pins that even when hashed it would probably be easy to crack
1 comments
MichaelHoste 1873 days ago
That's something that crossed my mind, a 4-digits PIN is a weak password by definition.

But hashing them with the customer ID, date of birth, or something else, and using bcrypt to slow bruteforce down could already be an improvement.

link
gus_massa 1873 days ago
bcrypt already includes salt [1] to prevent the use of rainbow tables. Adding more things is probably not very useful.

Anyway, a 4 digits pin numbers have only 10000 combinations, that can be bruteforced almost instantly.

(On the other hand, sending it by email is not a good idea.)

[1] https://en.wikipedia.org/wiki/Salt_(cryptography)

link
Hackbraten 1873 days ago
But there’s no point in doing that. After a leak, you can assume the attacker already knows customer ID and date of birth along with the hypothetically hashed PIN. Brute-forcing the real PIN would take a few microseconds. So why even bother?
link