Do we gain security by using multiple slow-hashing functions to safely store a password?
This article was published in 2015, so it doesn’t reflect the current state of things but you can read the 2019 update.
A question has been recently raised to me on password hashing:
Do we gain security by using multiple slow-hashing functions to safely store a password?
While all of these functions are pretty much safe given a proper implementation and good cost parameters (and therefore there’s no need to increase architectural complexity), I wanted to give a wider retrospective on the real security of such a system and I’ll post it here as well.
In 2015, if you’re storing passwords I hope that we’re already assuming that you’re going to store the hashed version of them. The hashing process is a one-way process which given some data it turns that into an unique string of fixed length. And that process will always return that string for that data. This allows a system to check the validity of a password with no knowledge of the original data, at least in theory (plaintext password). (Disclaimer: some hashing functions have collisions which means that different data might result in the same output. This…
