Home Forums Storing password as hash? Reply To: Storing password as hash?



It depends on your threat model.

If you’re being specifically targeted, then as others have pointed out, its not a good trade-off for a long random password (though it could be used in addition to a long random password) since the attacker will probably figure it out or know that you’re doing this.

If you’re trying to protect against large scale database dumps then as long as it remains an obscure practice, it should be a good compromise for most use cases. If it becomes a widely adopted practice then cracking tools will start adding hash-in-a-hash rules, just like they’ve added rules for normal manual password lengthening techniques. So, once that happens, it might not be a good compromise, since by definition your second hash should be trivial to guess. but for now? why not. Sure as hell beats using 1337 sp34k, interspersing numbers and letter or other common human-based password lengthening techniques.