0

One way to secure a password in the database is to hash it with salt i.e. appending a random string to the password and then hash it and store the value.

Does encrypting the password || salt then hashing it make it more secure? Is it really necessary (or can I skip the encryption part)?

schroeder
  • 125,553
  • 55
  • 289
  • 326
xcoder
  • 137
  • 5

2 Answers2

2

The general idea is that any secure process must be able to remain secure even if the process is known. In this scheme, you've just added a step: encryption.

But you have to accept that people will know that you've added encryption and what type. This means that you've only made the process of checking passwords just one step more difficult because there is that extra step.

This means that you've only made it a little more difficult to test passwords: hash(encrypt(password||salt))

Your better bet is to do what is suggested for best practice: multiple rounds of hashing.

schroeder
  • 125,553
  • 55
  • 289
  • 326
1

Provided a proper password hashing is used, hashing and salting alone is sufficiently secure. Additional encryption does not add any relevant security to it.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434