0

So I was thinking, if people get access somehow to your list of hashes, it's easy for them to figure out what alghoritm you used if they have 32, 40, 60 characters etc

But what if you slice those strings a bit, like you use SHA-1 which is 40 and slice it to 32 characters? That would certainly make people think you are using MD5 and they will be wasting their time using md5 to find out the passwords :))

Would this improve security or have the opposite effect?

Alex
  • 527
  • 4
  • 7
  • 1
    obscurity is not security, and you're potentially making a real attack more plausible. – dandavis Jan 24 '20 at 17:57
  • 1
    If your password hashing is that weak that adding obscurity would have a noticeable impact then you are doing it wrong in the first place. Obscurity can be used as an additional line of defense but should not be used to improve a weak algorithm as long as stronger algorithms exist. – Steffen Ullrich Jan 24 '20 at 17:57

2 Answers2

2

First of all, don't use SHA-1 or MD5, as they are both deprecated (see this IETF draft). As @dandavis has correctly noted, security through obscurity does not make your system more secure.

Actually, the post that @Steffen Ullrich shared in his comment is excellent and thoroughly explains why you shouldn't focus on keeping the algorithm you used a secret, but rather on how secure the algorithm you're using is.

[Bonus] Here's a cartoon I like: enter image description here

Lastly, if you want to store your list of hashes securely (assuming passwords!?), then you should store each password with its own salt, together with a system-wide salt (called 'pepper').

You can have a look at this paper from 1979 for a more 'in-depth' explanation.

Soutzikevich
  • 295
  • 1
  • 9
2

TL;DR in addition to offering no real security, trying to obscure which hash algorithm was used is going to make your system a *pain* to manage when you have to migrate algorithms.


In addition to the general reasons why algorithm obscurity is not generally helpful, with passwords in particular, the hashing algorithm used is usually recorded right next to the password hash. You might be thinking "Why would you do that!?!" and the answer is that if you have a system full of users and need to migrate everyone from, say SHA2-256 to argon2-256, you're gonna have a bad time if you're not tracking which password hash is which algorithm.

For example:

$ cat /etc/shadow
... snip ...   
joeuser:$6$hgEjyDhga8ga8kd3$rjoiRUgVTMrIq/jhB73lhf3L2oOATKnSkE8jZZYnI8JSgx0RS4mpeh2dx

According to wikipedia, the format is "$id$salt$hashed", where the $id$ is one of:

  • $1$ – MD5
  • $2a$ – Blowfish
  • $2y$ – Eksblowfish
  • $5$ – SHA-256
  • $6$ – SHA-512
Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207