6

I've always wondered if it would make any sense to put fake characters into a hashed password?

For example this is my password: 1234

and after hashing the password , this is the result: abcd

Then add characters to the hashed password: aKbjczdx (every 2nd character is fake)

Would this make any sense?

Computernerd
  • 2,401
  • 9
  • 24
  • 30
qwqweqwe
  • 61
  • 1
  • 2
    Basically you're asking if hash obfuscation makes sense? – domen Mar 06 '14 at 15:26
  • 1
    No it doesn't. The threat model is that the attacker has access to your source code and can remove the obfuscation as easily as you added it. – Joan Charmant Mar 06 '14 at 15:28
  • 2
    Just because the attacker has gained access to the password list, does not mean they have access to the source code. Not saying this idea is valid, but they are two different scenarios. – donutdan4114 Mar 06 '14 at 21:18
  • 2
    They may not, but you must assume that the attacker might: have the source code, be an insider, know an insider, get the source code later, know an insider later, and most likely: will figure out the pattern you're using at some point, at which time everyone will know. Note that critically, "attacker" does NOT mean "the one group that got my hashed passwords first", "attacker" actually means **every person or group that ever gets ahold of my hashed password list** - including researches, competition contestants, and everyone reading whatever forums the original person uploads it to (pastebin) – Anti-weakpasswords Mar 07 '14 at 01:32
  • @Anti-weakpasswords That's very interesting, if not brilliant, and should be an answer! – Volker Siegel Jun 12 '14 at 16:09

3 Answers3

17

There is a basic rule when considering hashing passwords and other secret-keeping within an application:

The attacker knows everything the application knows.

So in this case, you don't gain anything, since the attacker can simply remove your obfuscation and then go about cracking your passwords directly. The same goes for:

  • "secret" salts
  • custom hashing algorithms
  • reversible encryption

Don't waste your time here. Get a standard, best-practice password hashing algorithm (bcrypt, scrypt, PHPass, PBKDF2) and spend your time securing your application.

bonsaiviking
  • 11,456
  • 1
  • 27
  • 50
5

No, it would not make sense.

When the attacker knows that every 2nd character is fake, it would not slow them down at all.

Any security measurement which relies on the attacker not knowing how your system works is security through obscurity, which is an anti-pattern. A system is only secure when it is secure against someone who knows exactly how it works.

Philipp
  • 49,017
  • 8
  • 127
  • 158
0

A lot of the answers seem to be missing you point, as I assume that when you say

and this is my hash: abcd

You already are using a secure and accepted hashing algorithm, rather than you just doing pure obfuscation. In this case I would argue that some obfuscation of hashes that add security as often only databases get dumped without the code and in those cases - and only in those cases - an extra rule that is applied to the hash will make it a lot harder to figure out what is happening and which hashing algorithm has been used.

Of course it's best to make sure that the database doesn't get stolen in the first place, and it's likely that once an attacker has access to a database he will also gain access to your code, but making a hash unrecognizable would make at least quite a lot of those script-kiddie hackers give up.

All in all, would I advice you to do it? Nope, not really. Using a good hashing algorithm and salting your passwords should be more than enough, but in response to your question: yes it does make some sense, no matter how little.

David Mulder
  • 1,349
  • 1
  • 8
  • 18