0

Intro

A common technique to securely hash passwords is to use salting and peppering. Salt comes from the database and pepper comes from the server. This means that both salting and peppering are server-side operations.

Situation

When hashing a password, I would prefer to hash after applying salt and pepper, because applying salt and pepper onto an already existing hash using simple concatentation or similar string injection would make patterns appear that make it realatively easy for hackers to extract salt and pepper from the hash.

Problem

But the problem with hashing after salt and pepper, is that this means that the hashing needs to happen on the server-side. This subsequently means that you'd still have the plain-text password on the server because it isn't hashed yet, which measn that a plaintext password has travelled through an http(s) request.

This makes it seem rather sketchy. If hackers would be able to decrypt an https request, I would much rather expose a hash then a plaintext. But sending the hash from the client-side is not possible since client doesnt have the salt and pepper.

My solution (which is what I want to verify)

My idea as a solution would be to hash the password on the client without salt and pepper. Then send this to the server and then the server concatentates this hash with salt and pepper before hashing the entire thing again.

Is this 'double hash' actually a thing? How is this done otherwise?

Improve this question
1
  • Since this isn't about programming, it's off-topic here, but seems like a good question for Information Security Stack Exchange, if not already asked there. Commented May 22, 2024 at 18:25

1 Answer 1

Reset to default
0

A password hash sent to the server instead of a "cleartext" password is not any better then the source of the hash (the "cleartext" password).

When the hash gets stolen, it could be simply be sent to the server by the thief instead of the password to log in.

The only slight advantage would be that if a user has the same password on multiple services, you could only use the hash to hack the user on services that use the same hashing algorithm and also accept hashes instead of cleartext passwords. Salt and pepper would lower that risk even more.

But this does not improve the security of "your" service. You still have to take care that a password hash is only hold for a super short amount of time in the memory of the server.

On the contrary without the double hashing with salt and pepper that you suggested, you would even store kind of cleartext passwords in your user database to compare to.

So with double hashing, you only have the pepper as protection against de-hashing attacks, because the salt is even stored with the user and the double-hashed password. This lowers security compared to sending the cleartext password and hashing it with salt and pepper just on the server to compare with the stored thing.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.