Does it make sense to hash already hashed passwords?

H

HoHsi2016-10-20 19:22:24

Information Security

HoHsi, 2016-10-20 19:22:24

Good afternoon!
I read that MD5 + salt is not such a safe bundle, and as part of strengthening the security of my services, I decided to take action.
Now the database contains hashed (SHA256) user passwords + salt (uuid v4), does it make sense to hash them over, say, with Scrypt (or Bcrypt) or will it not make SHA256 more secure, but only by creating a garbage load?
Or does it make sense to enter the field crypto_type , where to store what hash the password was hashed with, and leave the old passwords alone, and only hash new users with Scrypt?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

V

Vladimir Dubrovin, 2016-10-20
@z3apa3a

Yes, it makes sense for bcrypt at least. The purpose of bcrypt is to slow down the brute force process and make it resource intensive and difficult to implement on specialized hardware / GPUs / botnets etc. (see for example openwall.info/wiki/john/GPU/bcrypt). This greatly slows down the ability to guess even relatively weak passwords.
There are even more interesting algorithms, such as Argon2 and yescrypt.
It is not worth entering different hashes for different users, the solution with "rehashing" old hashes is quite safe.