I have learned a lot with this thread, so I thought in a way to easily understand the possible outcome when combined different methods (of course, it won't fit all cases):

[W=weak, S=strong]:

Formula | Example ---------------|----------------- W(W) = W | md5(sha1(pwd)) W(S) = W | md5(bcrypt(pwd)) S(W) = W | bcrypt(md5(pwd)) S(S) = S- | bcrypt(scrypt(pwd)) //their interaction is unknown W+S = W | md5(pwd)+brcypt(pwd) S+S = W | bcrypt(pwd)+scrypt(pwd) W'+S" = S | md5(pwd1)+brcypt(pwd2) //pwd1 != pwd2 S'+S" = 2S | bcrypt(pwd1)+scrypt(pwd2) //pwd1 != pwd2 SUBSTR(W) = W | substr(md5(pwd),n); //Shorter the string, the weaker SUBSTR(S) = S- | substr(bcrypt(pwd),n); //Shorter the string, the weaker S+x = S+ | bcrypt(pwd)+x //x=Variable str. unrelated to pwd S(S+x) = S- | bcrypt(scrypt(pwd)+x) //x=Variable str. unrelated to pwd ROT13(S) = W | ROT13(bcrypt(pwd)) //If Rot13 has a vulnerability: fail 

What I want to achieve here is to show in a simple way that those combinations won't add extra security in most of the cases (so added complexity is not worthy).

I have learned a lot with this thread, so I thought in a way to easily understand the possible outcome when combined different methods (of course, it won't fit all cases):

[W=weak, S=strong]:

Formula | Example ---------------|----------------- W(W) = W | md5(sha1(pwd)) W(S) = W | md5(bcrypt(pwd)) S(W) = W | bcrypt(md5(pwd)) S(S) = S- | bcrypt(scrypt(pwd)) //their interaction is unknown W+S = W | md5(pwd)+brcypt(pwd) S+S = W | bcrypt(pwd)+scrypt(pwd) W'+S" = S | md5(pwd1)+brcypt(pwd2) //pwd1 != pwd2 S'+S" = 2S | bcrypt(pwd1)+scrypt(pwd2) //pwd1 != pwd2 SUBSTR(W) = W | substr(md5(pwd),n); //Shorter the string, the weaker SUBSTR(S) = S- | substr(bcrypt(pwd),n); //Shorter the string, the weaker S+x = S+ | bcrypt(pwd)+x //x=Variable str. unrelated to pwd S(S+x) = S- | bcrypt(scrypt(pwd)+x) //x=Variable str. unrelated to pwd ROT13(S) = S | ROT13(bcrypt(pwd)) 

What I want to achieve here is to show in a simple way that those combinations won't add extra security in most of the cases (so added complexity is not worthy).

I have learned a lot with this thread, so I thought in a way to easily understand the possible outcome when combined different methods (of course, it won't fit all cases):

[W=weak, S=strong]:

Formula | Example ---------------|----------------- W(W) = W | md5(sha1(pwd)) W(S) = W | md5(bcrypt(pwd)) S(W) = W | bcrypt(md5(pwd)) S(S) = S- | bcrypt(scrypt(pwd)) //their interaction is unknown W+S = W | md5(pwd)+brcypt(pwd) S+S = W | bcrypt(pwd)+scrypt(pwd) W'+S" = S | md5(pwd1)+brcypt(pwd2) //pwd1 != pwd2 S'+S" = 2S | bcrypt(pwd1)+scrypt(pwd2) //pwd1 != pwd2 SUBSTR(W) = W | substr(md5(pwd),n); //Shorter the string, the weaker SUBSTR(S) = S- | substr(bcrypt(pwd),n); //Shorter the string, the weaker S+x = S+ | bcrypt(pwd)+x //x=Variable str. unrelated to pwd S(S+x) = S- | bcrypt(scrypt(pwd)+x) //x=Variable str. unrelated to pwd ROT13(S) = W | ROT13(bcrypt(pwd)) //If Rot13 has a vulnerability: fail 

Instead of just voting my answer down (cause I'm sure not everyone will agree with this), please help me to improve it. What I want to achieve here is to show in a simple way that those combinations won't add extra security in most of the cases (so added complexity is not worthy).

I have learned a lot with this thread, so I thought in a way to easily understand the possible outcome when combined different methods (of course, it won't fit all cases):

[W=weak, S=strong]:

Formula | Example ---------------|----------------- W(W) = W | md5(sha1(pwd)) W(S) = W | md5(bcrypt(pwd)) S(W) = W | bcrypt(md5(pwd)) S(S) = S- | bcrypt(scrypt(pwd)) //their interaction is unknown W+S = W | md5(pwd)+brcypt(pwd) S+S = W | bcrypt(pwd)+scrypt(pwd) W'+S" = S | md5(pwd1)+brcypt(pwd2) //pwd1 != pwd2 S'+S" = 2S | bcrypt(pwd1)+scrypt(pwd2) //pwd1 != pwd2 SUBSTR(W) = W | substr(md5(pwd),n); //Shorter the string, the weaker SUBSTR(S) = S- | substr(bcrypt(pwd),n); //Shorter the string, the weaker S+x = S+ | bcrypt(pwd)+x //x=Variable str. unrelated to pwd S(S+x) = S- | bcrypt(scrypt(pwd)+x) //x=Variable str. unrelated to pwd ROT13(S) = W | ROT13(bcrypt(pwd)) //If Rot13 has a vulnerability: fail 

What I want to achieve here is to show in a simple way that those combinations won't add extra security in most of the cases (so added complexity is not worthy).