Storing password as hash? – Digitalmunition

Home Forums Storing password as hash?

This topic contains 1 reply, has 2 voices, and was last updated by  Ragloph 1 month, 3 weeks ago.

  • Author
  • #365925


    Remembering passwords is hard right? So I came up with this new idea of creating really simple rememberable passwords( like “samhere2000”) and taking their hash and then using the hash as password. That way, if I need the password , I would just have to hash the rememberable password. Just wanna know if this is a good idea or not

  • #365936


    Not a bad idea but idk I think Its easier to brute force a random hash (if you had a hint of It) than a logic sentence like “hello friend”.

  • #365937


    That’s actually a really interesting idea

  • #365934


    Just use the world’s most secure password:

  • #365935


    Not really because your hash is as secure as your simple password. If someone wants to brute force your password, then they can learn (like by reading this post) that you use hashes of simple string. So it becomes as hard as brute forcing simple passwords.
    You are better off using a random password generator, and securing them with a password manager locked by a long and hard to guess password. You only have one, so it’s not so bad.

  • #365933


    It depends on your threat model.

    If you’re being specifically targeted, then as others have pointed out, its not a good trade-off for a long random password (though it could be used in addition to a long random password) since the attacker will probably figure it out or know that you’re doing this.

    If you’re trying to protect against large scale database dumps then as long as it remains an obscure practice, it should be a good compromise for most use cases. If it becomes a widely adopted practice then cracking tools will start adding hash-in-a-hash rules, just like they’ve added rules for normal manual password lengthening techniques. So, once that happens, it might not be a good compromise, since by definition your second hash should be trivial to guess. but for now? why not. Sure as hell beats using 1337 sp34k, interspersing numbers and letter or other common human-based password lengthening techniques.

  • #365932


    If a hacker would bruteforce a stolen database full of hashes and do like

    Passwordlist (With your simple password) > Hash all passwordlist Rows (your algorithm) > Hash your row (database algorithm) > Match outcomes.

    It wouldn’t be safe since he just undo’s your extra step.

    I would just stick with a strong password on your password manager and random generate all the password you use elsewere.

  • #365926


    Theoretically, using a result of hashing as password means enough security for anyone for eternity. That’s the whole point in hashing, it creates a random but (up to a limit) unique string so you only have to remember a shorter phrase. Given the enormous number of possibilities it is virtually impossible to bruteforce a hash of a hash or even find in a rainbow table.

    I am personally using the same technique and see no flaw of it, so I can confidently recommend it to anyone. Just remember which algorithm you used.

  • #365927


    That would be cool if bruteforcing passwords were still a thing. If you use this everywhere you would still be screwed if this gets leaked.

  • #365928


    No, stop trying to come up with cool ideas to remember a passwords and just use a password manager.

    Every week someone comes up with this “really cool” and “unique” way of remembering passwords. Just stop, they’re all bad because they’re based on something week. “I use a weak password and hash it”. “I use a weak password but add the site so it’s long and unique”. “I use a weak password, but change the E’s to 3’s!”. No, just stop, stop remembering passwords. You need to remember like 3 passwords: the one to your password manager, the one to unlock your desktop, and… I’m sure there’s another in there somewhere. Use a 5+ word -random- phrase for these. Everything else, just use a password manager. FOR THE LOVE OF ALL THAT IS HOLY PLEASE STOP CREATING YOUR OWN PASSWORD MANAGEMENT SCHEMES! I hope I’ve made it clear how terrible all of this is, just use a friggin password manager!

  • #365929


    There are some issues associated with it and things to keep in mind… check out the following discussions on the topic:


  • #365930


    This is security through obscurity- you’re banking on the idea that the attacker doesn’t know you’re using a hash so you can get away with a weaker key.

  • #365931


    Nowadays the browsers’ built in password remembering services are pretty well secured and stored in the cloud, when you use something like Chrome Sync. Previously they weren’t as secure, because they were storing them in the preferences files location, locally, together with the decryption key. They were pretty easy to decode and steal by even the simplest virus (stealer type).

    But today they store them in the cloud, synced with your account that you use to sign into the browser to sync your browsing history and extensions. You can even provide a passphrase to be used as ‘salt’ when encrypting your data.

    There are also 3rd party services like Bitwarden that have extensions for all big browsers and mobile platforms that do the same thing.

    Furthermore, when you use a password remembering service, you can generate random passwords that you yourself don’t even know. Both browsers (at least Chrome) and 3rd party tools have mobile integrations that allow you to prefill passwords even outside the browser, in dedicated apps. They really cover all cases where you need to enter your password pretty well and, in my opinion, there’s no need to ever remember your passwords.

    It goes without saying that I wouldn’t trust this with finance / banking apps, but for 99% of the websites, I use Chrome’s password manager and it’s awesome. Highly recommended!

You must be logged in to reply to this topic.