Geek Answers Handbook

Re-hashed a hashed password

Supposed knowledge
Hash, Salting, PBKDF [1-2]

Problem
I store passwords in my database using a scaled hash / salting algorithm such as PBKDF2. I thought, β€œHey, if I use my passwords 20,000 times, should it be safe enough to brute force attack?” and it is true. until next year, when the best computers appear.

Possible Solution

Leaving aside the question about the length of the encryption key and the length of the salt (which can also be included in this solution), I thought that if every N days, I intercepted all the passwords in the database. Thus, they are hashed 20,000 times, then after a week, I have them even more than 500 times, which makes them a total of 20,500 times. Store the number of times it hashed in the database. The idea is to increase the number of hashes as technology advances.

Existing Similar Implementations
BCrypt introduces a work factor to increase the hash password time:
PBKDF2 uses several iterations to accomplish the same thing. It is used by Mac OS-X, windows and linux for file-level encryption. Wi-Fi networks also use its implementation.

Can anyone see a problem with this? Have you tried this already? Is there an algorithm that accepts a pre-hashed password and re-hashes it β€œN” times?

Edit
The question is not that multiple hashing is safe (this has been verified and verified). The question is re-hashing to increase security without requiring users to reset their passwords

Solution: courtesy of a discussion with JVestry

Thus, re-hashing all passwords every "N" days is a waste of time, since a hacker can simply crack it using an old copy of the database. However , if you combine the concept of increasing the amount of hash memory over time before the password update policy, the concept will be sound.

Implementation
All passwords expire every 30 days. When they are updated, their hash counter increases. Therefore, resetting the password yesterday will be harder to crack than one set 20 days ago. The hash counter can be stored or retrieved from the algorithm using the last modified date.

Thanks!

TTD

+4
source share
2 answers
Can anyone see a problem with this?

Yes. Assuming you will be remodeling weekly with salt (which, I think, is what you mean), there is still a problem. If someone manages to access the hashed password in week x, any further hashing in week x + n will not provide any additional security.

A hacker has to work on so many iterations in week x. Once the key is broken, it just has to hash it a bit more, like you do every week. It is dead light and completely invisible.

If you rephrase, do it with a new salt and from scratch with a lot of iterations. Your shortcut does not bring extra security.

+3
source

This will lead to a tougher brute force gap, but will also make the login process slower.

You better use more salt.

+2
source

More articles:


All Articles