A 2020 MacBook Air can hash every North American phone number in four hours
a day ago
- #PII
- #hashing
- #privacy
- Hashing PII (Personally Identifiable Information) does not effectively protect privacy because PII is neither long nor unpredictable.
- Marketing SaaS and ad tech often use cryptographic hashes for privacy theater, but this approach is flawed for PII like email addresses, phone numbers, and Social Security numbers.
- Tools like BambooHR and UnsubCentral use MD5 or SHA hashes for customer list comparisons, but these can be easily reverse-engineered with modern hardware.
- A proof-of-concept demonstrates generating rainbow tables for North American phone numbers using DuckDB, showing how quickly hashed PII can be cracked.
- Even without specialized software, hashed PII can be reversed using consumer hardware, making hash-passing for privacy a broken solution.
- Researchers in 2021 demonstrated hashing 118 billion phone numbers, but today, even a laptop can perform such tasks efficiently.