Multiple Password Hash_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-01-17 16:09 出处：网络

I\'m currently working on a Web app that requires a high level of security and I\'ve been thinking about the password handling. That I should use a hashed password, with a large enough salt is a given

相关专题：hash passwords

I'm currently working on a Web app that requires a high level of security and I've been thinking about the password handling. That I should use a hashed password, with a large enough salt is a given, but would it be a benefit to hash the password multiple times with different salts or different algorithms?

I'm not referring to the fact that you should hash the password multiple times to generate your password hash like Hash(Hash(Hash(salt + psw)))=pswhash, but instead I'm thinking about using Hash(Hash(Hash(salt1 + psw)))=pswhash1 and Hash(Hash(Hash(salt2 + psw)))=pswhash2, and then comparing to both upon login. Using this routine an attacker mustn't only find one password that generates pswhash, but a password that must generate both hashes correctly. This way the possibility of an collision is virtually nil, but the attacker can use the second hash to determine if a password from the first hash is correct or not.

Additional information about the application: The application is primarily an internal application for our company. Alla connections are handled with https, all usernames are unique for this application (ergo开发者_运维百科 you can't choose your username) and all passwords are unique for this application (random generated, and you can't choose them). We are primarily concerned that someone gains unauthorized accesses to the system before we can react. If we have time to react the fact that "they" can find the exact password isn't that big a deal.

Use a tried-and-tested technique -- for example, PBKDF2 -- rather than trying to roll your own.

You should hash a password multiple times, enough times to take up a good fraction of a second. This makes it impossible for a hacker with access to your database to crack the passwords individually as the processing power required has gone up exponentially.

See this question for related information

I think hashing with multiple salts is basically another way of rehashing, and is security through obscurity, instead of doing that I would just stick to rehashing.