Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Does rehashing a randomly salted password at login increase security?

Tags:

security

php

hash

salt-cryptography

I am currently working on a project in PHP, and am wondering how to make my system as secure as currently possible. I am currently using password_hash to hash my passwords and then store them in my database. What I was wondering: Does rehashing and re-saving the new salted hash to the database increase security, or is that just an illusion?

like image 736
Techno Avatar asked Dec 01 '25 05:12

Techno

1 Answers

I don't think it will increase security, no. You have two risk scenarios:

  • The cracker breaks into a server and stays there for some time undetected. In this case, passwords can just be captured programmatically, as users log in. This requires much less effort than brute-forcing strong hash algorithms.
  • The cracker breaks in, steals a copy of the database, and in response the sysadmin plugs the security hole and restores the server from backup quickly.

In the second case, the cracker has a set of usernames, email addresses and hashed passwords, which they may wish to try brute-forcing. There is no advantage to be had if these hashes were created once or a thousand times.

It's worth remembering what we're trying to guard against here. If the security of a website has been breached, there is a knock-on effect for users who have used the same username/password combination at other popular services. A major reason for hashing, and the purpose an attacker has in brute-forcing passwords, is to see if the users can be hacked elsewhere (for example their social media or bank accounts).

This is why we recommend that people should not re-use passwords, and instead that they should use strong passwords stored in a password manager. It is even better if people can use a different username and/or a different email per service. Incidentally, it is surprisingly easy to use an email per service: if you are on GMail with an address of [email protected], just do this:

[email protected]

The email should of course be stored in your password manager - if you forget this, you will not be able to use password reminder features, and you will be locked out unless the service is willing to accept some other proof of identity. Despite that, this approach is stronger against the ripple effect of using a service that is breached - a weak password reminder system elsewhere is harder to exploit if users always use different email addresses.

Users with their own domain name can do something similar - set up an email account to "catch all" and then use whatever aliases you like.

like image 134
halfer Avatar answered Dec 03 '25 23:12

halfer
Sign in to Comment

Related questions

Hide orders with status (Pending Payment) on WooCommerce My Account page
Autorollback in postgres using PDO
It is possible use tinymce to upload pdf?
Silex and SimplePreAuthenticatorInterface
Cakephp : How to save Arabic words into mysql table?
Shorthand array doesn't work on server
JQuery: Ajax POST call doesn't send data
Why do I sometimes get different SHA256 hashes in Java and PHP?
get_browser slowing down page load, any alternative?
MYSQL distinct column row pair query
Is it possible to get Yii2 cookie validation key if value is known
Using each match in preg_replace() in PHP
Extracting data from rss containing <![CDATA[]]> with PHP
How to get multiple rows from a database request
How to specify ordered variables in gettext .po files?
PHP bind_param with arrays
PHP and the end of October
Wordpress not recognizing function during plugin activation

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!