1

I remember reading about a scheme where the process of checking a password went like this:

  1. given (hash, salt) in a database,
  2. hash password with salt to check against the hash,
  3. hash password with old hash as salt,
  4. store (new hash, salt a.k.a. old hash) in the database.

I can't find the original source. In any case, I don't understand

  1. what the advantage is of using the old hash as the salt (as opposed to using a random salt),

  2. what the advantage of this scheme is in general (further complicating rainbow table attacks?), and

  3. if there is an advantage, how one would apply the scheme using PHPass, since the salt seems to be managed "within" PHPass...

Intuitively, I think this scheme would do nothing at best, or worsen security at worst (due to a dependency on a past value), but password security is one area where I don't trust my intuition. Please enlighten me.

EDIT:

I'm asking about re-hashing the password on each check. These similar questions do answer the first question—that using a hash as a salt is useless—but not whether it's useful to re-hash on each check:

Community
  • 1
  • 1
Andrew Cheong
  • 29,362
  • 15
  • 90
  • 145
  • can't of been asked less than a hundred times on S.O in the last year. –  Aug 26 '12 at 04:17
  • possible duplicate of [Salting Your Password: Best Practices?](http://stackoverflow.com/questions/674904/salting-your-password-best-practices) –  Aug 26 '12 at 04:18
  • @Dagon - I don't think so. I'm asking about the advantage of changing the hash value entirely each time, while the link you provide seems to be more about prepending or postpending the salt. – Andrew Cheong Aug 26 '12 at 04:25
  • I have found these but they are not exact duplicates either: http://stackoverflow.com/questions/2029869/using-a-hash-of-data-as-a-salt (this one is not re-hashing on each login), http://stackoverflow.com/questions/1120381/using-a-hash-of-what-you-are-hashing-as-a-salt (neither is this). – Andrew Cheong Aug 26 '12 at 04:46

1 Answers1

2

I am no security expert, but to answer #1 there is no advantage. All it does is complicate things further.

Just use a good randomly generated salt, Like you said, PHPPass handles it internally, and PHPass is considered an extremely good tool as it has been reviewed by many security experts.

Kris
  • 6,094
  • 2
  • 31
  • 46