Browsing over this site, many forums, online articles, there's always one specific way we're suggesting to store a password hash:
function (salt, pass) {
return ( StrongHash(salt + pass) );
}
But why this exact way? Why aren't we suggesting to do this?
function (salt, pass) {
return (StrongHash(( StrongHash(salt) + StrongHash(pass) ));
}
Or even something like this?
function (salt, pass) {
var data = salt + pass;
for (i=0;i < 1000; i++) {
data += StrongHash(salt + data)
};
return (data);
}
Or some other crazy combination? Why are we specifically saying hash the concatenation of the raw salt and the raw password? The hash of both being hashed seems to be a fairly high-entropy alternative, as does hashing 1000 times as per my third example. Why don't we hash the first one a few more times for entropy's sake?
What's so amazing about the first way?
By request, examples of this:
- http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html
- Password Hashing: add salt + pepper or is salt enough?
- Stretching a hash, many iterations versus longer input string
- https://www.aspheute.com/english/20040105.asp
- https://phpsec.org/articles/2005/password-hashing.html
- https://msdn.microsoft.com/en-us/library/aa545602.aspx#Y93
- https://www.developerfusion.com/article/4679/you-want-salt-with-that/3/
- https://ca3.php.net/manual/en/function.hash.php#101987
- https://ca3.php.net/manual/en/function.hash.php#89568