Author Topic: How Bitsum protects your passwords  (Read 7052 times)

Offline Jeremy Collake

  • Administrator
  • Member#
  • *****
  • Posts: 5414
  • Gender: Male
  • The Lasso
    • Bitsum
How Bitsum protects your passwords
« on: June 13, 2012, 06:29:23 AM »
I posted this on security forums elsewhere, as I hoped to give administrators an easy clue on how to update an unbreached database of hashed passwords without waiting for the user to login to update the hash to a new algorithm. Maybe others have done this, but I'd never seen it mentioned, so ...

Here's my approach..

I'M IGNORING SALTING FOR SIMPLICITY OF DISCUSSION ONLY.

Presume I had the initial passwords stored as:

SHA1(password)

Now, to update them I could wait for users to login, OR double hash. Yep, hash the hash. The new algorithm would then become:

SHA2-512(SHA1(password))

or to be precise with salting,

SALT^SHA2-512(SALT^SHA1(password))

This is an easy way to update existing unbreached databases with new hashing algorithms. It also increases the computation complexity at the same time, and, as an added benefit, create a unique combination of algorithms that can serve to further obfuscate the algorithm used. Later, if I need to change the hash algorithm again, I can continue to add additional hash algorithms, using a third, fourth, fifth, etc.. round of hashing the hash of the password.

It could then later be:

SALT^RIPEMD(SALT^SHA2-512(SALT^SHA1(password)))

Seamless updating of the database.
« Last Edit: June 13, 2012, 07:05:38 AM by bitsum.support »
Software Engineer. Bitsum LLC.