5

I currently use SHA512 with per user random salt to hash user passwords and store them in a database. I thought this was pretty secure until I read this article about the use of cheap GPU's to brute force attack passwords.

As an alternative to changing over to bcrypt would it improve security to simply use the SHA512 multiple times? Running it say 100 or 1000 times on its own output to slow down the process and make it that much harder to brute force? Or does iteration of SHA512 actually yield no security benefit?

Phil Wright
  • 22,580
  • 14
  • 83
  • 137

1 Answers1

5

Iteration technique is well known and effective in hashing especially against Rainbow tables. Classes like Rfc2898DeriveBytes use up to 10K iterations to derive proper passwords. Iterating the hash makes it more difficult to brute force back to the original string since it would be needed to store multiple iterations of strings to be able to crack them which whould mean massive amounts of data with larger hashes (i.e. SHA512).

Teoman Soygul
  • 25,584
  • 6
  • 69
  • 80
  • I asked this [question](http://security.stackexchange.com/questions/96470/does-sha-512-become-suitable-to-store-a-password-if-we-use-salt-and-iteration-wi?noredirect=1#comment165860_96470) here and they answered me that it is not a good idea and instead, I have to use on of the ready hashing functions like bcrypt – Mo Haidar Aug 10 '15 at 17:09