from what i understand just hashing once with WP should be good enough for any server.
now back in the day i would generate a
salt value
and store it in db also, then add this to the end of the password and hash it with my algorithm
From what i understand this will make it a little more secure.. Although i was not using WP back then
If anyone knows that this will not help please elaborate.
i think the WP only requires a size of 129
Quote:
Originally Posted by Ballu Miaa
Thats a nice question. But MP2 and Vinci. Cant we just hash the strings? I mean when we hash a string , it is converted into an integer constant. Now can we hash this integer constant again using the same hasher?
|
Im sure WP is returning an array of chars (i.e. a string)
EDIT: also i think i found the answer to your question at this site
http://crackstation.net/hashing-security.htm
its talking about MD5 but dont matter.
Quote:
The WRONG Way: Double Hashing & Wacky Hash Functions
This is a common one. The idea is that if you do something like md5(md5($password)) or even md5(sha1($password)) it will be more secure since plain md5 is "broken". I've even seen someone claim that it's better to use a super complicated function like md5(sha1(md5(md5($password) + sha1($password)) + md5($password))). While complicated hash functions can sometimes be useful for generating encryption keys, you won't get much more security by combining hash functions. It's far better to choose a secure hash algorithm in the first place, and use salt, which I will discuss later. Once you are using salt, you can use multiple secure hash functions, for example SHA256(WHIRLPOOL($password + $salt) + $salt). Combining secure hash functions will help if a practical collision attack is ever found for one of the hash algorithms, but it doesn't stop attackers from building lookup tables.
The attacks on MD5 are collision attacks. That means it's possible to find two different strings that have the same MD5 hash. If we were trying to prevent such an attack from affecting our cryptosystem, double hashing is the wrong thing to do. If you can find two strings of data such that md5($data) == md5($differentData), then md5(md5($data)) will STILL be the same as md5(md5($differentData)). Because the "inside" hashes are the same, so the "outside" hashes will be too. Adding the second hash did nothing. The collision attacks on MD5 don't make it any easier to recover the password from an md5 hash, but it's good practice to stop using MD5 just because there are much better functions readily available.
Double hashing does not protect against lookup tables or rainbow tables. It makes the process of generating the lookup table two times slower, but we want it to be impossible to use lookup tables. We can easily do so by adding "salt".
|
and it explains using a salt with the hash.
