Reputation: 1374
Store one big Hash instead of User/Pass in DB
Normally a password is stored with a one-way algorithm, so that it makes hard to discover the plain text from it. But I've been thinking: What if I store a SHA512 of both username and password melted together (A+B=SHA512), instead of the username and the password hash separately. Is this method secure?
EDIT: In my opinion the Username 'salt' the password, so there will be no equal hash two times...
Upvotes: 1
Views: 65
Answers (2)
Reputation: 6629
(1) You should be using something like bcrypt, scrypt, or pbkdf2 instead of something like SHAwhatever for password processing. Google this.
(2) How would you deal with forgotten password scenario?
(3) See my blog, particularly the section on "A simple example: protecting email address": https://littlemaninmyhead.wordpress.com/2015/09/08/a-retrospective-on-ashely-madison-and-the-value-of-threat-modeling/
Upvotes: 2
Reputation: 57784
Sure that would work. But would you ever want to retrieve a list of user names?
In the authentication implementations I have written, I use the username as part of the salt. That combined with a sitewide salt plus a bit of constant salt ends up creating around 120 bits of salt per username.
Upvotes: 0
Related Questions
- What's the best hashing algorithm when using a smaller user database
- How to hash passwords safely before storing them in my DB?
- Storing Hashes to Password in PHP
- Password storage?
- Storing password hashes
- Alternative using hash for storing passwords in Database
- Store Encrypted Username Hash in Database
- How can I store a salted password hash if I have only one database column?
- Storing hashed passwords in MySQL
- Using a hash of what you are hashing as a salt?