0

I use bcrypt (32 rounds) and once the hash is produced, I get the sha512 of that hash and I then hash that with blow fish and once that is done, I hash it again with sha512 with a salt that has been hashed with bcrypt (94 rounds) that is 33 characters long to each user password.

So is that secure or not?

Braiam
  • 177
  • 15
sss
  • 33
  • 4

2 Answers2

14

Yes but everything after the first bcrypt is completely unnecessary. bcrypt automatically generates and appends a salt as well (in the ruby implementation anyway), and changing the number of rounds is sufficient to ensure that the hashing scheme is slow enough to deter offline brute forcing.

Slicedpan
  • 313
  • 2
  • 12
8

Your scheme is as secure as bcrypt with 32 rounds, but much more complicated. Adding complexity does not increase the security of the system, it just makes it more likely to have bugs.

The SHA-512 and Blowfish-based hashes don't add any significant work factor compared to the bcrypt. And the extra rounds of bcrypt applied to the salt add nothing to the difficulty of brute-force password guessing, because it only needs to be calculated once per target password, not once per guess.

I would strongly suggest just using standard bcrypt. To increase the hash strength just increase the number of rounds. (A lot - assuming you mean 32 iterations, that's next to nothing. See Recommended # of rounds for bcrypt for more realistic numbers.)

This will aid interoperability and allow you to increase the number of rounds as you go forward without breaking all your existing hashes.

bobince
  • 12,534
  • 1
  • 27
  • 42