Return to Revisions

Multiple Iterations - This helps. Its called key-strengthening and it raises the computational complexity. E.g., if you key-strengthen by a factor of a 1000, an attacker can try 1000 less possible passwords in the same amount of GPU/CPU time.

Multiple hash functions - In principle if one particular hash function is somehow broken (e.g., you can reverse the hash in much faster time than trying every password), but the other hash functions used in the chain are not broken. However in my view with modern cryptographic hash functions, that's a fairly unlikely threat. E.g., that your attacker has broken iterated sha512, so can quickly come up with a password that works for sha512 key-strengthened N times, but not sha512(salt||bcrypt(salt||sha512(salt||pw))). Possibly NSA or serious academic computer scientist may come up with clever ways to break hashing algorithms, but not your average malicious attacker.

Salt mixing - This is an implementation detail, and doing it adds no complexity to an attacker. (Rainbow tables for an complex key-strengthened salted hashes don't exist.)

Unique schemes - Again an implementation detail, and adds no security. Also don't run bcrypt multiple times; that's silly. Bcrypt is already keystrengthened. E.g., if you hash a bcrypt function with a cost of 16, that means the key went through 2^16 ~ 65536 rounds, so if you want a stronger hash just increase the cost (every increase by 1; means bcrypt will be half as slow).

Black Magic - As a programmer, I wouldn't suggest doing this; as black magic is a maintainance nightmare for you and your team, and again not too significant for an attacker to overcome. (They steal your source code; see what the functions do to a password and use for their brute forcing). If they manage to steal your hashes, they probably have at least one account where they know a password and stole the hash, so can try reverse engineering it (even if they didn't get the source code). Its like obsfucating your source code on your own server. Its more a hassle for you the developer/maintainer, not really for the attackers.

Obsfuscation - Don't do this. See black magic. Or just operate on Kerckhoff's principle aka Shannon's maxim: assume the enemy knows the system. Obfuscation/black magic can be overcome with a little analysis and provides some security, but not much. However, a strong key-strengthened cryptographic hash with a high-entropy initial passphrase/password can easily be built to have a computational complexity thats completely infeasible to attack without major advances in computer science (e.g., a quantum computer).