Geek Answers Handbook

Does hashing hash make it more secure?

Possible duplicate:
Is "double hashing" a password less secure than just hashing it?

I encrypt passwords using sha1 in PHP, but I wonder if hash hashing is safer than just password hashing.

For instance:

there is

$hash = sha1($pwd);

less safe than

 $hash = sha1(sha1($pwd));

I don’t understand why this will not happen because reverse lookup sites cannot find a hash match.

+4
source share
3 answers

First, as weak as sha1, it is better than unencrypted saved passwords. Any encryption, hashing or other obfuscation is much better than plaintext!

The problem with sha1 is its speed, so its hashes generated quickly. Salting helps a lot, but if your server is compromised and you have a hash that is stored somewhere in the string, this is an advantage ...

If you do not want to use mcrypt or another encryption method, you can mix your sha1 hash a bit like this:

 $my_super_sha1_hash = sha1( sha1( substr( sha1($username) , 0 , strlen($password) ) ) .sha1( substr( sha1($password) , 0 , 40-strlen($password) ) ) );

By mixing username and password and using the length of the (unknown) password to determine which bits of each are used in the bite, which is then hashed again, each salt is unique but not random, so the result is consistent for all users, and LOT is more difficult to crack because it must take into account the length of the password string and username.

-2
source

Double hashing really doesn't help. Salting does.

+2
source

To make your password store secure, you should not use sha1 or any other fast hash algorithm, use a key derivation function like BCrypt instead .

The problem with fast algorithms is that you can calculate 3 Giga sha1 hashes per second with shared hardware ( in 2012 ). This allows you to copy an entire English dictionary of about 500,000 words in less than a millisecond!

The second problem in your example is the missing salt. If you do not use a unique salt for each password, an attacker can create one rainbow table to get all the passwords.

BCrypt was specifically designed for hash passwords and is therefore slow (it takes some computational time). With a cost factor, you can adapt the necessary time to the future (and therefore faster) hardware. Inside, it does something similar, as you expected, it repeats hashing many times, but in a safe way.

Using BCrypt can be as simple as using the sha1 hash. PHP 5.5 will have its own functions password_hash() and password_verify() ready to simplify this task. There is also a compatibility package for PHP 5.3 / 5.4, available for download at password_compat .

+2
source

More articles:


All Articles