Previously Uli Fouquet wrote:
Hi Dan,
thanks for your quick response.
Dan Korostelev wrote:
Yeah, that's definetely a mistake! The hash needs to be generated using both salt and password.
Also, I saw a technique when you generate a hash using double hashing, like this: sha(sha(password) + salt).hexdigest(). It looks even more secure :)
Hm, not sure. Building the hash of a hash doesn't give a more equal distribution, does it? Therefore it doesn't look 'more secure' to me.
It would not surprise me if it would in fact not be considerably weaker. The cleartext space for the second hash is a lot smaller and very predictable (you know the exact string length and that is only consists of digits and lowercase letters), making an attack simpler. Wichert. -- Wichert Akkerman <wichert@wiggy.net> It is simple to make things. http://www.wiggy.net/ It is hard to make things simple.