Viewing a single comment thread. View all comments

Hyolobrika wrote

I probably don't know as much about tech but why would you need a salt? I'm curious.


jaidedctrl wrote

if you get the sha256 hash of 12 characters or so, like in an IP address (XXX.XXX.XXX.XXX) there are only around 61917364224 (12^10) possible values.
That might seem like a lot, but a computer can create all of these values and then find the sha256 hashes of them quickly, then save them all in a list of hash-to-IP values.

Then, the hashed IPs that would be logged could easily be compared with the list of hash-to-IP values to find actual IP addresses.

Basically, storing a hash of an IP isn't obfuscation at all.

But throwing salt into the mix— making the hash values of the IP addresses less predictable— would make it very hard to calculate all potential addresses, especially if the salt is completely random.

Let's say that IPs would be hashed as "XXX.XXX.XXX.XXX" with a near-random amount of random characters at the end (salt), determined once every 24 hours. Assuming true randomness, something like that would make them incredibly difficult to predict the hash-to-value list of.