How Bitsum protects your passwords

Started by Jeremy Collake, June 13, 2012, 06:29:23 AM

Previous topic - Next topic

Jeremy Collake

I posted this on security forums elsewhere, as I hoped to give administrators an easy clue on how to update an unbreached database of hashed passwords without waiting for the user to login to update the hash to a new algorithm. Maybe others have done this, but I'd never seen it mentioned, so ...

Here's my approach..

I'M IGNORING SALTING FOR SIMPLICITY OF DISCUSSION ONLY.

Presume I had the initial passwords stored as:

SHA1(password)

Now, to update them I could wait for users to login, OR double hash. Yep, hash the hash. The new algorithm would then become:

SHA2-512(SHA1(password))

or to be precise with salting,

SALT^SHA2-512(SALT^SHA1(password))

This is an easy way to update existing unbreached databases with new hashing algorithms. It also increases the computation complexity at the same time, and, as an added benefit, create a unique combination of algorithms that can serve to further obfuscate the algorithm used. Later, if I need to change the hash algorithm again, I can continue to add additional hash algorithms, using a third, fourth, fifth, etc.. round of hashing the hash of the password.

It could then later be:

SALT^RIPEMD(SALT^SHA2-512(SALT^SHA1(password)))

Seamless updating of the database.
Software Engineer. Bitsum LLC.