Revision be08aa60-ac7d-435f-a50f-11b2fe56078d - Information Security Stack Exchange

##Yes, But..##
To make it nice and clear... In the event of a database-only compromise when a user has access to the database but not the application source code, someone will get the password hashes but will be unable to crack them and get the original passwords because of Dave's custom algorithm. So in the case of a database-only breach, Dave's password algorithm will protect passwords more than if he had used MD5 or SHA1.
**However** That's only one possible avenue for system leaks. There is one key fact that trashes the "math" that makes Dave's homebrew algorithm seem reasonable.
##Half of all breaches start internally.##
Which is a very sobering fact, once you let it sink in. Of the half of breaches caused by employees, half of them are accidental and **half are intentional**. Dave's algorithm can be helpful if all you are worried about is a database-only leak. If that is all you are worried about though, then the threat model you are protecting against in your head is wrong.
To pick just one example, developers by definition have access to the application source code. Therefore if a developer gains read-only access to the production database they now have everything they need to easily crack the passwords. Dave's custom algorithm is now useless, because it relies on old and easy-to-crack hashes.
However, if Dave had used a standard and modern password hashing algorithm and used both a salt and pepper, the developer who gained access to a database-only dump would have absolutely nothing useful at all.
##In Summary##
It's all about defense in depth. It's easy to create a security measure that can protect against one particular kind of attack (Dave's algorithm is perfectly fine for protecting against database-only leaks). However, that doesn't make a system secure. Many real-world breaches are quite complicated, taking advantage of weaknesses at multiple points in a system in order to finally do some real damage. Any security measure that starts with the assumption "This is the only attack vector I have to worry about" (which is what Dave did) is going to get things dangerously wrong.