* Thom Brown (t...@linux.com) wrote: > On 10 October 2014 12:45, Stephen Frost <sfr...@snowman.net> wrote: > >> There's a difference between intending that there shouldn't be a way > >> past security and just making access a matter of walking a longer > >> route. > > > > Throwing random 16-digit numbers and associated information at a credit > > card processor could be viewed as "walking a longer route" too. The > > same goes for random key searches or password guesses. > > But those would need to be exhaustive, and in nearly all cases, > impractical.
That would be exactly the idea with this- we make it impractical to get at the unredacted information. > Data such as plain credit card numbers stored in a > column, even with all its data masked, would be easy to determine. I'm not as convinced of that as you are.. Though I'll point out that in the use-cases which I've been talking to users about, it isn't credit cards under discussion. > Salted and hashed passwords, even with complete visibility of the > value, isn't vulnerable to scrutiny of particular character values. > If it were, no-one would use it. I wasn't suggesting otherwise, but I don't see it as particularly relevant to the discussion regardless. Thanks, Stephen
signature.asc
Description: Digital signature