posted ago by Doggos

Version 1.1.6.1 (07/27/2020) changes how we store IP addresses.

As outlined in our Privacy Policy, we store the latest IP address for each logged in user. This is overwritten every time that it changes.

As part of our effort to minimize the data that we hold on users, we're now hashing (and peppering) the IP addresses that we store.

This follows a change two months ago where we hashed (bcrypt) email addresses.

The reason that we store any IP addresses is so that we can detect networks of malicious accounts, which means that we need the hash of two identical IPs to be the same. We can't realistically salt the IP addresses, because then the values for two identical IPs would not match. We will reconsider this in the future.

Version 1.1.6.1 (07/27/2020) changes how we store IP addresses. As outlined in our Privacy Policy, we store the latest IP address for each logged in user. This is overwritten every time that it changes. As part of our effort to minimize the data that we hold on users, we're now hashing (and peppering) the IP addresses that we store. This follows a change two months ago where we hashed (bcrypt) email addresses. The reason that we store any IP addresses is so that we can detect networks of malicious accounts, which means that we need the hash of two identical IPs to be the same. We can't realistically salt the IP addresses, because then the values for two identical IPs would not match. We will reconsider this in the future.
Comments (2)
sorted by:
1
Spicy_maymay 1 point ago +1 / -0

Great news, with the frequent apparent DDOS attacks indicating that outsiders have a dedicated interest in attacking us, this was something I was worried about. I'm not sure why y'all are hesitant about salting though. Is it because you want to keep track of banned IP addresses? In such case I would recommend just keeping a single salt for all banned IPs.

Hopefully you can eventually come up with some sort of defense against rainbow tables, don't get stuck on the XY problem. If you think the rainbow hairs (pun intended) at Google Inc. aren't actively looking at ways to attack this site and its users, either during their paid work hours or not, I fear you are most likely mistaken.

2
Doggos [S] [M] 2 points ago +2 / -0

In such case I would recommend just keeping a single salt for all banned IPs.

Sounds like peppering, which we're doing. We append a static value to the end of all IP addresses before hashing.

The addresses are useless to us if the hashes of two identical IP addresses are not the same.