I hear rumors that double hashing is bad...
like hash("sha512", hash("whirlpool", "string"))
Is it bad and less secure? if so why?
Thanks for any help!
Asked
Active
Viewed 991 times
1 Answers
0
I haven't seen much in the way of guidance on this, but from what I can see you're not likely to run into any issues.
Theoretically, you'll be reducing the entropy of the input if your inputs are larger than your first hash. In reality, I'm not sure that it's a problem.
When migrating an application from unsalted MD5 to bcrypt, I simply bcrypted everybodys MD5 hashes then bcrypt(md5('password')) to check it at login. I reasoned that MD5 digests are 128-bit and that's much larger than than the likely entropy of peoples passwords.
In comparison, whirlpool hashes have a digest output of 512-bits.
Chris S
- 321
- 2
- 2
-
Just as a follow up, checked Wikipedia about password strength. Given that a string is a random collection of all printable ascii characters: 128bits = 20 characters 512bits = 78 characters – Chris S Aug 22 '13 at 00:30