Regex golf, is this a valid PIN?

S. Dale Morrey sdalemorrey at gmail.com
Mon Feb 24 21:58:37 MST 2014


Not a bad idea!
This isn't an "unlock code" it's 1/2 of a private key and also used as the
salt to a keygen function wherein something else is being used as the
primary data portion or seed.
The keygen function uses scrypt at it's core so it's extremely expensive to
try to brute force.

The PIN needs to be something they can remember, but would be impractical
to try and brute force.  Before they get to the option to enter a PIN they
will have already entered a password and verified using an MFA component
such as email link, sms code or ToTP.

The PIN is part of authorization not identification (single user can have
multiple PINs and thus multiple keys).
It is presumed that should we move to PoS deployments that the user would
be issued a physical token to use in conjunction with their PIN to
authorize the transaction.


On Mon, Feb 24, 2014 at 9:45 PM, Michael Torrie <torriem at gmail.com> wrote:

> On 02/24/2014 09:03 PM, S. Dale Morrey wrote:
> > fine we will make it 10 :)
>
> Even better, their phone number!
>
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>


More information about the PLUG mailing list