Reputation: 292
Does using a password twice when hashing it make it safer?
Does using a password twice when hashing it make it safer? My example is in CodeIgniter, I striped it down to just the bare minimum. Please do not point out all the things wrong with the example, it is just an example.
<?php
function user_signup(){ // The normal way
$this->load->database();
$new_user_insert = array(
'password' => sha1($salt . $this->input->post('password')));
}
function user_signup(){ // The double insert way
$this->load->database();
$new_user_insert = array(
'password' => sha1($this->input->post('password') . $salt . $this->input->post('password')));
}
}
EDIT:
My thought is that it would make the in put twice as long, an example (username: joe, password: 123456789). So instead of having a rainbow table with my hashed 123456789, it would be 123456789123456789. I know this is a over simplification, and the hash would look more like 01a967f5d27b9e910754729a669504a60d2aa865, but a would be hacker would need a bigger rainbow table.Please correct me if I am wrong.
Thank you in advance.
Upvotes: 1
Views: 218
Answers (3)
Reputation: 8699
a would be hacker would need a bigger rainbow table
This isn't the case if the attacker knows your strategy for hashing the password.
Suppose, for simplicity's sake, that your password needs to be a 4-digit number. (Of course, this is generalizable to more complex passwords.) There are then 10,000 possible passwords. If you concatenate the password with itself to produce an 18-digit number, the attacker can deduce the second nine digits from the first nine: 1234salt1234 is potentially valid, but 1234salt4321 cannot be, and it would not be included in a rainbow table. The additional digits, bring a function of known information, add no additional complexity.
Adding a user-specific salt to the password as a hash defends against an attacker who can obtain the password hashes and who knows the system. In particular, the attacker knows the algorithm for hashing the user's password. Assuming as before a four-character numeric password, such an attacker using a brute-force strategy would still need to attempt only 10,000 combinations (0000salt0000, 0001salt0001, ..., 9999salt9999). The original strategy (not concatenating the password with itself) would also require 10,000 combinations (0000salt, ..., 9999salt), so would be no less difficult (for practical intents).
Upvotes: 3
Reputation: 4524
The purpose of entering the password a second time is just to ensure that the user hasn't mistyped it! It doesn't actually improve security by itself, and certainly there would be little gain in storing in the database twice.
It is to avoid typos. If you have to type the password twice chances are you'll make your password what you want. They want to avoid having people whose password is "blah" having to retrieve their password later on because they typed "blaj" by mistake. This is especially true since password fields show as asterisks (*********) and sometimes it is hard to tell if you typed what you thought you typed - people are likely to make typos without even realizing it. Some websites do this too with the email address when it is essential that is correct as well.
Upvotes: 0
Reputation: 8866
In general, no. Entering a password twice is useful to check whether a user typed it correctly, but never useful to have in your database twice.
Upvotes: 0
Related Questions
- Encrypting(MD5) multiple times can improve security?
- Is double hashing combined with salting an effective password storing technique?
- Is it necessary to password_hash again when first password_hash already valid ? I'm newbie
- Is it more secure to refresh hashed passwords occasionally?
- Is "double hashing" a password less secure than just hashing it once?
- Double hashing security
- Is it safer to double hash passwords with salt? (a little more complicated)
- Password hashing: Is this a way to avoid collisions?
- Using a password to generate two distinct hashes without reducing password security
- Double salt for hashing passwords?