3

I had an idea about storing passwords in databases: since passwords can be cracked by simply looking up a hash in rainbow tables (etc. etc.), would it be much (or even a little) safer to store a manipulated hash instead of the real one? In my case, it's not a string hashed twice or something - I have a custom pattern of "scrambling" a hash (I'd prefer not to mention my approach to this), so I figured I'd ask if it's worth the trouble before I do something that's useless.

Passwords in the database are currently encrypted with Blowfish (salts are completely random) and SHA-1, is this otherwise safe enough (yeah, you can never be too safe - but should it suffice)? We really don't have many users either, as the site doesn't draw much attention.

I'm absolutely no expert of this kind of stuff, so go easy on me. The only thing I know, is that people are getting better and better at cracking passwords (and the possibilities seems to be increasing).

AstroCB
  • 12,337
  • 20
  • 57
  • 73
anon
  • 31
  • 1

1 Answers1

2

I'd prefer not to mention my approach to this

Security through obscurity is not security.

If the passwords of the users is long enough and you add a long enough salt and you use a good hashing / crypting algo you won't be able to find the hash in a rainbow table.

Take a look at for example: http://freerainbowtables.com which are distributed rainbow tables and see where they are.

You can however in stead of scrambling your password yourself (or with some selfmade function) use more iterations when encrypting.

PeeHaa
  • 71,436
  • 58
  • 190
  • 262