Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it bad practice to store the hash function used as part of the hashed password?

Using the php source code for hashing+salting at crackstation.net, the returned hash includes what hashing algorithm was used. I store the hash as returned from the create_hash function in my database. Is it bad practice to store this information? Will this give a hacker an advantage?

like image 902
Adam Johns Avatar asked Oct 02 '22 23:10

Adam Johns


2 Answers

I think this is good practice. It means that if you upgrade your hashing function (to something more secure) new users will use the one new one immediately.

Now, you can't rehash users on the old hashing functions immediately, since you need their password to do that, and you can't retrieve it from its hashed state. Instead, when such a user logs in, you use their password to store a new hashed column, and reset the hashing function against their user account.

Thus, with such a configuration, users will slowly move onto the more secure system as they log in.

like image 118
halfer Avatar answered Oct 12 '22 10:10

halfer


I wouldn't say it's a bad practice. The hash function can often be identified from the nature of the outputted hash (e.g. string length, etc.) so you probably wouldn't be telling an attacker anything they couldn't figure out from the hash anyways.

like image 23
AlliterativeAlice Avatar answered Oct 12 '22 11:10

AlliterativeAlice