views:

35

answers:

2

I'm currently working on a Web app that requires a high level of security and I've been thinking about the password handling. That I should use a hashed password, with a large enough salt is a given, but would it be a benefit to hash the password multiple times with different salts or different algorithms?

I'm not referring to the fact that you should hash the password multiple times to generate your password hash like Hash(Hash(Hash(salt + psw)))=pswhash, but instead I'm thinking about using Hash(Hash(Hash(salt1 + psw)))=pswhash1 and Hash(Hash(Hash(salt2 + psw)))=pswhash2, and then comparing to both upon login. Using this routine an attacker mustn't only find one password that generates pswhash, but a password that must generate both hashes correctly. This way the possibility of an collision is virtually nil, but the attacker can use the second hash to determine if a password from the first hash is correct or not.

Additional information about the application: The application is primarily an internal application for our company. Alla connections are handled with https, all usernames are unique for this application (ergo you can't choose your username) and all passwords are unique for this application (random generated, and you can't choose them). We are primarily concerned that someone gains unauthorized accesses to the system before we can react. If we have time to react the fact that "they" can find the exact password isn't that big a deal.

A: 

You should hash a password multiple times, enough times to take up a good fraction of a second. This makes it impossible for a hacker with access to your database to crack the passwords individually as the processing power required has gone up exponentially.

See this question for related information

I think hashing with multiple salts is basically another way of rehashing, and is security through obscurity, instead of doing that I would just stick to rehashing.

Tom Gullen
I wasn't going after the rehashing issue. I'm thinking about the collision risk (albeit small) and if there would be a benefit or a risk to compare multiple hashes to avoid collision.
Lobo
A: 

Use a tried-and-tested technique -- for example, PBKDF2 -- rather than trying to roll your own.

LukeH
Thanks, but I am not trying to create my own cypher or KDF. I'm just wondering if I could benefit from hashing/cypher passwords in more than one way, and make dual (or more) comparisons
Lobo
@Lobo: My point is that using an established technique such as PBKDF2 will be simpler and (probably) more secure than your proposed approach.
LukeH