Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

This is all just for curiosity\'s sake, so discussion on which hashing algorithm

ID: 661749 • Letter: T

Question

This is all just for curiosity's sake, so discussion on which hashing algorithm is harder/better/faster/stronger is irrelevant. But my question/thought is this..

With regards to password storage, and to prevent hash collisions, I was thinking that one possibility would be to create one hash that is basically salted and hashed, and then create any number of alternate hashes where the password is modified in some unique way (Rot-13, Reversed, etc.), then salted with a different salt and hashed. Then store and compare all the hashes when logging in.

Would this situation be easier to crack, given that the attacker has more information to get at the actual password? Or is it more difficult given that the attacker now has to crack multiple hashes to get at the password?

Explanation / Answer

This is not a good idea.

The first reason is that collisions are not an issue. For password hashing, you don't rely on resistance to collisions, but on resistance to preimages. There is no need for a password hashing function to admit easy-to-build collisions, but if it does, this is not a problem either. For instance, collisions can be built with PBKDF2. And we don't mind.

The second reason is that the attacker intent on finding a password which matches a given hash has no need to compute several hashes. The attacker tries a long list of potential passwords, but that list is way smaller than the hash function output range. The consequence is that when the attacker finds a matching password, it is the password -- and this is so even when the attacker works over a single hash function. Therefore, though you spend the CPU to compute several hashes, the attacker is perfectly content to work with only one. In other words, the several hashes waste your CPU. This is important because you normally want to use a slow hash (with a configurable number of iterations) so that attacks are made slower. By doing the job several times, you force yourself to lower the iteration count, thereby automatically giving an advantage to the attacker.

The third reason is a generalization of the previous one: the attacker only needs to work on one hash value. If you provide several, then this can only help the attacker: he will choose the one which makes things easiest for him.

Related Questions

This is a wireshark assignment. I neeed help or some sort of direction with two
Question #3561015
This is a word problem I need help on. I would appreciate any help given! Washin
Question #3198418
This is a work in process inventory problem. I want to make sure I\'m determinin
Question #2422351
This is a working project but we made it with the Specifics 2^8 entries in the p
Question #3737494
This is a written assignment and should be handed in person at the beginning of
Question #3754357
This is a written assignment that should conform to the Guidelines for Written A
Question #380418
This is a written question, worth 14 points. DO NOT place the problem code on th
Question #3208235
This is a “gas meter” problem. The gas meters in the problem show integer values
Question #3639535
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
This is all in python Language Please help there is some code that I have but im
Next
This is all made in Html In a file named menu.html you will create a menu for a

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.