I'm currently working on a Web app that requires a high level of security and I've been thinking about the password handling. That I should use a hashed password, with a large enough salt is a given, but would it be a benefit to hash the password multiple times with different salts or different algorithms?
I'm not referring to the fact that you should hash the password multiple times to generate your password hash like Hash(Hash(Hash(salt + psw)))=pswhash, but instead I'm thinking about using Hash(Hash(Hash(salt1 + psw)))=pswhash1 and Hash(Hash(Hash(salt2 + psw)))=pswhash2, and then comparing to both upon login. Using this routine an attacker mustn't only find one password that generates pswhash, but a password that must generate both hashes correctly. This way the possibility of an collision is virtually nil, but the attacker can use the second hash to determine if a password from the first hash is correct or not.
Additional information about the application: The application is primarily an internal application for our company. Alla connections are handled with https, all usernames are unique for this application (ergo you can't choose your username) and all passwords are unique for this application (random generated, and you can't choose them). We are primarily concerned that someone gains unauthorized accesses to the system before we can react. If we have time to react the fact that "they" can find the exact password isn't that big a deal.