Many hash iterations: append salt every time?

by

In short: Yes. Go with the first example… The hash function can lose entropy if feed back to itself without adding the original data (I can’t seem to find a reference now, I’ll keep looking).

And for the record, I am in support of hashing multiple times.

A hash that takes 500 ms to generate is not too slow for your server (considering that generating hashes are typically not done the vast majority of requests). However a hash that takes that long will significantly increase the time it will take to generate a rainbow table…

Yes, it does expose a DOS vulnerability, but it also prevents brute force attacks (or at least makes them prohibitively slow). There is absolutely a tradeoff, but to some the benefits exceed the risks…

A reference (more like an overview) to the entire process: Key Strengthening

As for the degenerating collisions, the only source I could find so far is this discussion

And some more discussion on the topic:

  1. HEKS Proposal
  2. SecurityFocus blog on hashing
  3. A paper on Oracle’s Password Hashing Algorithms

And a few more links:

  1. PBKDF2 on WikiPedia
  2. PBKDF2 Standard
  3. A email thread that’s applicable
  4. Just Hashing Is Far From Enough Blog Post

There are tons of results. If you want more, Google hash stretching… There’s tons of good information out there…

More Related Contents:

  1. How do you use bcrypt for hashing passwords in PHP?
  2. Secure hash and salt for PHP passwords
  3. How can I store my users’ passwords safely?
  4. How do you Encrypt and Decrypt a PHP String?
  5. Simplest two-way encryption using PHP
  6. How to encrypt/decrypt data in php?
  7. Two-way encryption: I need to store passwords that can be retrieved
  8. Generating a random password in php
  9. Login without HTTPS, how to secure?
  10. How to best store user information and user login and password
  11. encrypt and decrypt md5
  12. How to create a laravel hashed password
  13. Is it ever ok to store password in plain text in a php variable or php constant?
  14. a better approach than storing mysql password in plain text in config file?
  15. Unique key generation
  16. How can I prevent SQL injection in PHP?
  17. How do I use password hashing with PDO to make my code more secure? [closed]
  18. Examples of SQL Injections through addslashes()?
  19. PHP: Is mysql_real_escape_string sufficient for cleaning user input?
  20. PHP image upload security check list
  21. PHP: How To Disable Dangerous Functions
  22. MCrypt rijndael-128 to OpenSSL aes-128-ecb conversion
  23. How to prevent multiple logins in PHP website
  24. Generate cryptographically secure random numbers in php
  25. Secure User Image Upload Capabilities in PHP
  26. Set httpOnly and secure on PHPSESSID cookie in PHP
  27. Does PHP’s $_REQUEST method have a security problem?
  28. Json: PHP to JavaScript safe or not?
  29. How to generate random password with PHP?
  30. What encryption algorithm is best for encrypting cookies?

Leave a Comment