-2

If I hash for example a password twice:

$psw1= password_hash($password,PASSWORD_DEFAULT);
$psw2=password_hash($psw1,PASSWORD_DEFAULT);

Is this more secure or it this just useless?

P.S.: I am new to php

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Martino Pistis
  • 183
  • 1
  • 7
  • Depends, read this: https://stackoverflow.com/questions/348109/is-double-hashing-a-password-less-secure-than-just-hashing-it-once – Stefan Aug 20 '17 at 11:01
  • 2
    there should be no need to rehash when using password_hash().... if you want to strengthen it, just hash once with an increased cost argument – Mark Baker Aug 20 '17 at 11:05

2 Answers2

5

This will prevent you from verifying the password, since you won't be able to reproduce the first hash, since you've discarded the random salt of the first hash. Instead, to increase security of a single hash, simply adjust its cost factor:

password_hash($password, PASSWORD_DEFAULT, ['cost' => 12])

The higher the cost, the more rounds of hashing will be done. Pick a cost that doesn't slow the process down too much, but isn't too low either. In fact, you should keep increasing the cost factor over time as better server hardware becomes available, and rehash your users passwords over time with the stronger algorithm. That's specifically what password_needs_rehash is for.

deceze
  • 510,633
  • 85
  • 743
  • 889
-2

I think is useless since once hashed it's impossible to know what the real value was...at least teorically speaking.

I suggest using strong hash functions like sha512 or ripemd320 since there are not much publicy available databases where hashed passwords are stored.

If you want to know more I've found an old question on stackoverflow with good answers : PHP dehashing the password

Zed93
  • 11
  • 6
  • 1
    If I may rephrase: *"use an 'obscure' hash because not many rainbow tables exist for those"*? Not very sane advice; an algorithm must be strong in itself, not due to obscurity. – deceze Aug 20 '17 at 11:17
  • Well sha512 and ripemd320 are strong hash algorythms as far as I know. I think the fact that there are not many public databases is only a plus. I'm fully aware that there is no absolute security online and password hashing is not absolute since collisions can occure but I prefer to use a strong algorythm that has almost no public free data instead of the classic md5 (md5 has more possible collisions and is an algo not as strong as the other 2 I mentioned) ;) – Zed93 Aug 20 '17 at 12:36
  • Well, MD5 is indeed a terrible alternative. It's fine if the algorithm itself is fine, but the way to guard against existing databases or rainbow tables in general is a salt, not obscurity. – deceze Aug 20 '17 at 15:30
  • The mentioned algorithms (SHA-*) are not appropriate to hash passwords, not because they are unsafe, rather because they are way too fast and therefore can be brute forced too easily. Password hash functions offer a cost factor, which can be used to control the necessary time to calculate a single hash (BCrypt, PBKDF2, SCrypt, Argon2). – martinstoeckli Aug 20 '17 at 18:50