1

i heard on another site that doing something like is a bad idea:

$string = "hello"; sha1(hash("sha512", $string));

... as far as i am concerned its a good, clever idea! why is it not? (i did not quite understand the explanation on the other site)

Thanks

Improve this question
9
  • Can you link a reference to where you read it? Maybe we can provide some context. Multiple rounds of hashing is not uncommon. If done with a slow algorithm it creates a kind of rate-limit against brute-force attacks. Commented Feb 14, 2013 at 21:47
  • this is the site phpacademy.org/forum, but annoyingly its under some technical issues Commented Feb 14, 2013 at 21:48
  • would you recommend it? Commented Feb 14, 2013 at 21:48
  • 2
    stackoverflow.com/questions/348109/… - almost duplicated Commented Feb 14, 2013 at 21:49
  • One advantage is that the hash will most likely not be in any lookup table with known hashes. Commented Feb 14, 2013 at 21:49

2 Answers 2

Reset to default
3

There's nothing wrong with hashing multiple times. There are a number of cases where this is actually a good idea.

  1. You want to slow down brute force attacks.
  2. You have a databases full of hashed passwords that use a broken hashing scheme. Upgrading from MD5 to SHA1 for example.
  3. You're implementing a challenge/response scheme.
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

what do you mean "You're implementing a challenge/response scheme."?
@Caspar If you want to verify that someone has the same key or salt that is stored on the server, the server could hash a randomly generated message using that key/salt and send it to the client. The client would then use the key/salt to hash the hash and send back the double hash. The server would then hash the original hash with the key again to compare that it matches what the client sent.
1

The example you pasted is bad because you're hashing a 512-bit hash with a 160-bit hash.

Improve this answer

1 Comment

It's probably just a quick and dirty example, rather than actual code the OP is using.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.