2

I am aware of the implications that hashing something more than once correctly will increase the security of a system, but doing it incorrectly will decrease it, as noted here and on various other sources.

But I stumbled upon a feature of Keepass, where the password database is encrypted N times to increase the work factor for brute force or dictionary attacks. This part explains how it is done: Protection against Dictionary Attacks

While I think that I am aware of the implication of hashing several times I am unsure whether encrypting several times, as explained above, increases robustness of the database.

Disclaimer: I've read Keepass Dictionary Attack Protection Strategy

Community
  • 1
Samuel
  • 708
  • 5
  • 13
  • Related: [Is multiple encryption a good idea?](http://security.stackexchange.com/questions/18087/is-multiple-encryption-a-good-idea) – sampathsris Aug 19 '14 at 08:37
  • Similar: [Is it safer to encrypt twice with RSA?](http://crypto.stackexchange.com/questions/5382/is-it-safer-to-encrypt-twice-with-rsa) – sampathsris Aug 19 '14 at 08:40
  • 2
    You may want to re-read the first link. The *very first* sentence states that hashing multiple times is essential to the security of password hashing schemes. – Stephen Touset Aug 19 '14 at 08:47
  • I think you miss read the link about hashing multiple time. Hashing multiple times actually increase your password strength because it takes longer to brute force it. But you have to do it right, so use a library for that. – Gudradain Aug 19 '14 at 15:44
  • @Krumia, regarding your second link, while I understand that encrypting twice might be trivial but when computation power increases in a way where a brute force or dictionary attack can be done in a reasonable time frame adding a work factor of a large value (for current systems) to slow down computation would still affect the overall time, right? Of course only when the work factor is large enough. – Samuel Aug 20 '14 at 07:40

1 Answers1

1

It's a different scheme. Generally it is accepted that when using a password hashing algorithm, which is intended to be very slow, is acceptable. What KeePass is doing is very similar to what most hashing algorithms do, namely slowing down hash calculation.

Their way is not a standard way. Most password hashing algorithms, such as PBKDF2, scrypt and bcrypt can actually also be tuned in the number of rounds to be used as to increase workload.

The question about which is more secure has to be put into perspective. If you slow down the hashing as much as with their encryption scheme, then the security should be the same.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196