Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is "double hashing" a password less secure than just hashing it once?

Is hashing a password twice before storage any more or less secure than just hashing it once?

What I'm talking about is doing this:

$hashed_password = hash(hash($plaintext_password)); 

instead of just this:

$hashed_password = hash($plaintext_password); 

If it is less secure, can you provide a good explanation (or a link to one)?

Also, does the hash function used make a difference? Does it make any difference if you mix md5 and sha1 (for example) instead of repeating the same hash function?

Note 1: When I say "double hashing" I'm talking about hashing a password twice in an attempt to make it more obscured. I'm not talking about the technique for resolving collisions.

Note 2: I know I need to add a random salt to really make it secure. The question is whether hashing twice with the same algorithm helps or hurts the hash.

like image 685
Bill the Lizard Avatar asked Dec 07 '08 21:12

Bill the Lizard


People also ask

Should you hash a password multiple times?

In fact, hashing the password many times can be a very good idea, as long as you do it sufficiently many times. This is one way to slow down the hashing process, and so make it more resistant to brute force cracking attempts, a technique known as key stretching.

Does hashing a hash make it more secure?

ANY encryption, hashing or other obfuscation is far better than plaintext! The problem with sha1 is that its fast, so its fast to generate hashes to crack against. Salting helps a lot, but if your server is compromised and you have your salt hash stored as a string somewhere, there goes that advantage...

What is the most secure password hashing algorithm?

To the time of writing, SHA-256 is still the most secure hashing algorithm out there. It has never been reverse engineered and is used by many software organizations and institutions, including the U.S. government, to protect sensitive information.

Are one way hashes secure?

Although making it longer will make it more secure, only if you use numeric/alphabetic/other characters. SHA1 is another hashing (one way encryption) algorithm, it is slower, but is has a longer digest. (encoded messsage) (160 bit) where MD5 only has 128 bit. Then SHA2 is even more secure, but it used less.


1 Answers

Hashing a password once is insecure

No, multiple hashes are not less secure; they are an essential part of secure password use.

Iterating the hash increases the time it takes for an attacker to try each password in their list of candidates. You can easily increase the time it takes to attack a password from hours to years.

Simple iteration is not enough

Merely chaining hash output to input isn't sufficient for security. The iteration should take place in the context of an algorithm that preserves the entropy of the password. Luckily, there are several published algorithms that have had enough scrutiny to give confidence in their design.

A good key derivation algorithm like PBKDF2 injects the password into each round of hashing, mitigating concerns about collisions in hash output. PBKDF2 can be used for password authentication as-is. Bcrypt follows the key derivation with an encryption step; that way, if a fast way to reverse the key derivation is discovered, an attacker still has to complete a known-plaintext attack.

How to break a password

Stored passwords need protection from an offline attack. If passwords aren't salted, they can be broken with a pre-computed dictionary attack (for example, using a Rainbow Table). Otherwise, the attacker must spend time to compute a hash for each password and see if it matches the stored hash.

All passwords are not equally likely. Attackers might exhaustively search all short passwords, but they know that their chances for brute-force success drop sharply with each additional character. Instead, they use an ordered list of the most likely passwords. They start with "password123" and progress to less frequently used passwords.

Let's say an attackers list is long, with 10 billion candidates; suppose also that a desktop system can compute 1 million hashes per second. The attacker can test her whole list is less than three hours if only one iteration is used. But if just 2000 iterations are used, that time extends to almost 8 months. To defeat a more sophisticated attacker—one capable of downloading a program that can tap the power of their GPU, for example—you need more iterations.

How much is enough?

The number of iterations to use is a trade-off between security and user experience. Specialized hardware that can be used by attackers is cheap, but it can still perform hundreds of millions of iterations per second. The performance of the attacker's system determines how long it takes to break a password given a number of iterations. But your application is not likely to use this specialized hardware. How many iterations you can perform without aggravating users depends on your system.

You can probably let users wait an extra ¾ second or so during authentication. Profile your target platform, and use as many iterations as you can afford. Platforms I've tested (one user on a mobile device, or many users on a server platform) can comfortably support PBKDF2 with between 60,000 and 120,000 iterations, or bcrypt with cost factor of 12 or 13.

More background

Read PKCS #5 for authoritative information on the role of salt and iterations in hashing. Even though PBKDF2 was meant for generating encryption keys from passwords, it works well as a one-way-hash for password authentication. Each iteration of bcrypt is more expensive than a SHA-2 hash, so you can use fewer iterations, but the idea is the same. Bcrypt also goes a step beyond most PBKDF2-based solutions by using the derived key to encrypt a well-known plain text. The resulting cipher text is stored as the "hash," along with some meta-data. However, nothing stops you from doing the same thing with PBKDF2.

Here are other answers I've written on this topic:

  • Hashing passwords
  • Hashing passwords
  • Salt
  • Hiding salt
  • PBKDF2 versus bcrypt
  • Bcrypt
like image 164
erickson Avatar answered Sep 19 '22 15:09

erickson