For example,one of the techniques is adding some random messages with the original passwords to prevent rainbow table attack
Making the hash function slower (increasing the work factor) makes it harder to break, but adding a random salt doesn't doesn't make the hash harder to break at all, that's not what it's supposed to do.
What it does is protect two or more users who all have the same password. A hash of the same input will always have the same output - so all the users with the same hash in the database must have the same password. If you crack one, you get them all.
Adding a random salt to each password makes their hashes different, so the rainbow table cracks only one at a time.
Isn't making password hashing slower using recursion or iteration same as making the login slower for the users?
Yes.
If password verification was a fast hash, attackers can check lots of passwords quickly and find the right one. So hash functions for passwords should be slow to protect against that. And their normal use is a person typing and watching a login screen, waiting half a second, once, is not a bad trade off.
Some are slow by design (bcrypt) and some are slow by doing a fast hash over and over (pbkdf2).
Scrypt is a variant on this idea as well - a hash which makes the calculation take a lot of time, and also makes it take a lot of memory to do - so trying to attack it fast by using multiple computers is expensive.
https://codahale.com/how-to-safely-store-a-password/ discusses this tradeoff with examples.
Are password hashing techniques made generally secret or open to others.
Generally open. An older hash (now deprecated) was RC4, and that was a proprietary development by the company RSA Security, and never officially released, but it leaked, was confirmed, and widely used anyway.
Common password hashing algorithms (slow) are open:
- bcrypt, which was publically released and is used in OpenBSD, which is open source.
or official standards through the Internet Engineering TaskForce (IETF):
Common fast hashing algorithms (used in SSH, IPSEC, TLS) are open standards too, e.g.
and there's also RFC 6234 which says "The United States of America has adopted a suite of Secure Hash Algorithms (SHAs) [..] namely SHA-224, SHA-256, SHA-384, and SHA-512. This document makes open source code performing these SHA hash functions conveniently available to the Internet community.".
Alternatives to PBKDF2 Argon2 and Lyra2 are open source as well.
That's not to say that people can't make proprietary closed hashing algorithms, or base their password hashes on fast algorithms, but [Microsoft makes use of MD5] in Active Directory password hashes, and lots of companies use PBKDF2.
(In fact, I'd be curious to find proprietary hash functions used in popular systems, I can't think that I know of any)
