1

i heard on another site that doing something like is a bad idea:

$string = "hello";
sha1(hash("sha512", $string));

... as far as i am concerned its a good, clever idea! why is it not? (i did not quite understand the explanation on the other site)

Thanks

Caspar Wylie
  • 2,818
  • 3
  • 18
  • 32

2 Answers2

3

There's nothing wrong with hashing multiple times. There are a number of cases where this is actually a good idea.

  1. You want to slow down brute force attacks.
  2. You have a databases full of hashed passwords that use a broken hashing scheme. Upgrading from MD5 to SHA1 for example.
  3. You're implementing a challenge/response scheme.
Spencer Ruport
  • 34,865
  • 12
  • 85
  • 147
  • what do you mean "You're implementing a challenge/response scheme."? – Caspar Wylie Feb 14 '13 at 21:57
  • @Caspar If you want to verify that someone has the same key or salt that is stored on the server, the server could hash a randomly generated message using that key/salt and send it to the client. The client would then use the key/salt to hash the hash and send back the double hash. The server would then hash the original hash with the key again to compare that it matches what the client sent. – Eric Feb 14 '13 at 22:16
1

The example you pasted is bad because you're hashing a 512-bit hash with a 160-bit hash.

Eric
  • 2,056
  • 13
  • 11