1

I wonder if there would be any value in creating a custom cipher for added security.

So, I guess, for example, you have passwords stored as SHA256 hashes, if access is gained to the hashes it is possible to execute a brute force attack easily since the SHA algorithms are a standard. But, if you have your own custom cipher, this cannot be done so easily. Since I have next to zero knowledge of how to create my own cipher and in order to have some assurance of collision resistance, I thought I could just take the output of a standard cryptographic hash function and run it through a few more steps in order to make the result less likely to be brute forced, as essentially no one would know what the extra few steps are.

An extra simple example which I wouldn't use but for the sake of having an example would be to reverse the order of the hash I started with.

Thoughts?

John Euell
  • 13
  • 3

1 Answers1

1

You are right in that SHA-256 only is a bad choice for password security. But, adding "secret steps" is not a good idea in cryptography, because there will be a time these secret steps will be public. Instead one uses random salts or much better uses algorithms specifically designed for this class of problems.

In the case of passwords I recommend to read the Password Storage Cheat Sheet at OWASP to find out how to do it properly. See also Is my developer's home-brew password security right or wrong, and why?.

Community
  • 1
Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434