Reputation: 334
Is double hashing combined with salting an effective password storing technique?
I am trying to store passwords according to the steps below:
- hashing the password,
- Adding last four characters of the hashed password to the hashed password again
- adding salt to result of step 2
- Hashing the result of step 3
Are there really ways in which hackers can still hack this?
Upvotes: 1
Views: 289
Answers (2)
Reputation: 24071
As long as the attacker doesn't know your invention, this is "security by obscurity", as soon as the algorithm is known it is nearly as easy to brute-force as a plain salted SHA-*. The problem is, that one can try about 3 Giga SHA-256 hashes per second with common hardware and cracker tools even allow some double hashing schemas out of the box.
What you need is a password-hash function like BCrypt, SCrypt, PBKDF2 or Argon2, which have a cost factor to control the necessary time for a single calculation. Additionally you get the comfort to have the salt included in the resulting hash-string, so you do not have to create and store the salt separately.
Upvotes: 1
Reputation: 25112
Are there really ways in which hackers can still hack this?
Define hack? Brute force method will always apply for someone gaining access to your system. If someone has a password of 1234, salting and hashing isn't going to make that password stronger. However, if you are worried about reversing a passwords from the hashed value and storing the PW in the clear (which you should be and seems to be the origin of your question), then yes you are by using a salt and hash.
Is double hashing combined with salting an effective password storing technique?
The hash function you are using is important here. First, you need one that is collision resistant to ensure two different values don't have a high probability of having the same hash. You didn't state what function you were using (MD5, SHA1, SHA256, etc)
Step 2 here isn't really needed, but certainly adds complexity. This is true for step 4 as well. I would lean towards a more complex has function like SHA2 or SHA3 instead of rehashing to speed things up.
Upvotes: 1
Related Questions
- Is using a 'salt' all that good?
- Password hash and salting - is this a good method?
- Password hashing and salting
- Double hashing security
- Salting the Password with the Password
- Storing salt+password hash in DB and protecting against password attack
- Storing passwords in a database when hashing doesn't apply
- Should a password salt be stored in its own field in the database?
- Encrypt hashed passwords?
- Double salt for hashing passwords?