Hashing multiple values - most secure method?

Question

hash(value1 & value2 & salt)
hash(hash(value1 & value2) & salt)
hash(hash(value1 & value2) & hash(salt))
hash(hash(value1 & salt) & hash(value2 & salt))
hash(hash(value1 & salt1) & hash(value2 & salt2))
hash(value1 & salt1 &value2 & salt2)
hash(value1 & salt1) and hash(value2 & salt2)  '2 separate hashes for each input

In an application where 2 'passwords' are needed to access a specific function (for whatever reason you want) and the salt(s) are large random strings. What would be the best way of getting a final hash to store? (not necessarily 1 of the above)

Is it 'better' to have the outside/final hash algorithm different to the inner ones?

Side question: is a salt mainly for making short, crappy user pw's more secure from brute force attacks? So if the pw was large (say the ByteArray of an image file) would a salt add any real purpose? Thanks.

What does `&` mean in this context? Is it concatenation? – Marcelo Cantos Mar 17 '12 at 10:26 — Marcelo Cantos, Mar 17 '12 at 10:26

Marcelo Cantos · Accepted Answer · 2012-03-17T10:35:01.117

2

Assuming & means concatenation, the safest is:

hash(value1 & delim & value2 & delim & salt)

...where delim is a delimiter that cannot appear in any of the other strings. It doesn't matter which order value1, value2 and salt appear in.

The delimeter prevents aliasing, e.g., (value1, value2) = ('fail', 'stone') vs (value1, value2) = ('fails', 'tone').

edited Mar 17 '12 at 10:35

answered Mar 17 '12 at 10:29

Marcelo Cantos

181,030
38
327
365

Thanks. I read this also http://stackoverflow.com/questions/348109/is-double-hashing-a-password-less-secure-than-just-hashing-it-once – Ben Mate Jul 18 '12 at 14:20

Hashing multiple values - most secure method?

1 Answers1