JJ Edgar VI JJ Edgar VI - 17 days ago 5
PHP Question

Displaying hashed content on my website

I have a system that currently tracks user IPs and other different unique identifiers.

On certain pages, I would like to show multiple IPs most of which belong to other users(you'll just have to trust me that it's necessary and not for a bad cause, quite the opposite). For obvious reasons I don't want to just show plaintext IPs all over the place.

So my question is: would saving said IPs as hashed content using something like sha256 be secure enough to display to other users?

I had thought about concatenating a more complex string to the beginning/end of the IP before hashing thus possibly making it more complex? I am almost certain this is very bad practice, but thoughts?

I could always make a second table in the database that links all IPs to a completely random unique identifier, however, I would prefer to avoid that and only used hashed IPs if it would be considered somewhat safe.

Answer
  1. Hashing the IPs without a salt will make it fairly easy to reverse as there are exactly 2^32 [~4 billion] possibilities to bruteforce, and that can be done surprisingly quickly these days.

  2. Hashing the IPs with a global salt will likely only make them marginally more secure as all someone needs to do is find their own IP hash and bruteforce that to determine the salt, and then you're back to 1.

  3. Hashing the IPs with a per-IP salt is where it becomes reasonably secure, but at this point you're already generating random values per-ip so you might as well just use random IDs anyway.

Comments