1

Recently I have been looking to add some security to a project. I have been doing lots of research into the situation and discovered that clearly password hashing is a must. Further I have concluded that the best options are to use bcrypt, PBKDF2 or scrypt.

Also I have seen much discussion over hashing vs encryption and discovered that it is clear that hashing is more important. That said, after many searches into the depths of Google I have yet to find any information on whether encrypting an already properly hashed password is of any benefit, serves to harm or is relatively neutral.

Is the CPU cost of doing both worth it? Are there any pitfalls?

The Thirsty Ape
  • 983
  • 3
  • 16
  • 31

3 Answers3

2

Encrypting something leads to the need of decrypting, which in turn leads to the problem you already have: secure storage of a secret.

Assuming that you want to store passwords as hashes instead of plain text you are basically doing this:

hashpw := hash(salt + password)

You then store salt and hashpw in a file and use this data instead of the plain text passwords. (Note that the order of the concatenation of salt and password is crucial in many cases and that this is only a visualization of the process, nothing more; Use a tool to generate salted hashes).

A possible attacker then needs to guess the salt and the plain text password to check for a match with the stored hashpw, which is as secure as the hash algorithm you're using (rate of collisions).

Encrypting something using some cipher has the benefit of being able to restore the plain text, which the hashing way does not offer. It also requires the system which decrypt the cipher text to have the key available. Say you encrypt a string foo with some key bar. To decrypt the resulting cipher text brn you need the key bar again. This key needs secure storage on your system and if the key is exposed to the attacker, all security is gone.

As a general rule of thumb I would say that hashing provides a good way of storing texts which are checked against (e.g., passwords) as the security of that is determined by the collision rate of the hashing algorithm. Encryption on the other hand, is the technique you're using to store the rest of the data securely.

nemo
  • 55,207
  • 13
  • 135
  • 135
  • 2
    +1 Your last paragraph is the crucial part - understanding that pass-phrases need to be *confirmed* but not *retrieved*. – Duncan Jones Mar 24 '13 at 11:14
  • I agree with Duncan. The last paragraph really nails the issue. Due to it being an issue of confirmation as opposed to retrieval the hash alone for a password seems to be the way to go. – The Thirsty Ape Mar 24 '13 at 17:01
  • 1
    @Foo_Chow - There actually _is_ a benefit in encrypting the hash-value. It is probably the best way to add a server-side secret (pepper) to the hash, i explained the problem in this [answer](http://stackoverflow.com/a/16893270/575765). – martinstoeckli Jun 27 '13 at 09:41
  • @martinstoeckli good to see some discussion for encryption. Also a good link to the other post. Seems to have a very broad discussion – The Thirsty Ape Jun 27 '13 at 19:42
2

You're on the right track. Use a key derivation/password hashing function like the ones you've mentioned.

Do not use just a hash or salted hash. The main issue is that traditional hashing algorithms (MD5, SHA-*, etc.) are intended to be fast. That's not advantageous for password storage, and many implementations are breakable, even if you add a salt.

Encryption always introduces key management-related issues. It should be avoided for password storage.

The advantage of a KDF is the work factor. It's designed to be slow and computationally expensive, which is why they're idea for this situation. Scrypt is the most resilient of the options you're looking at since it requires a set amount of memory to execute. This kills the GPU attack vector. There are tradeoffs whichever way you go, but all of your choices are fine as long as you use appropriate work factors where they're configurable.

user2514748
  • 21
  • 1
  • I like the point that you make about key management pertaining to encryption, does seem to coincide with the consensus that hashing alone is best for passwords – The Thirsty Ape Jun 27 '13 at 03:31
-4

I would simply encrypt the password. Hashing is fast, but a little unsafe for passwords. When I use hashing for security purposes, it's usually for things like message signing e.g. message + hash(message+password) so that the message can be verified, but I'm no expert in the field. I don't see the point of doing both.

Dbz
  • 2,721
  • 4
  • 35
  • 53