-3

For example, a person having password 123456.

it's MD5 is e10adc3949ba59abbe56e057f20f883e and SHA1 is 7c4a8d09ca3762af61e59520943dc26494f8941b and after joining both hashes.

Which comes to be e10adc3949ba59abbe56e057f20f883e7c4a8d09ca3762af61e59520943dc26494f8941b, decreases the risk of getting brute-forced?

CaffeineAddiction
  • 7,771
  • 2
  • 24
  • 42
Naman
  • 175
  • 7
  • 8
    If the attacker knows your scheme, it will be no stronger than MD5 alone. Use a password hashing method that is known to be difficult to attack, such as bcrypt – Owen Jul 01 '16 at 16:06
  • @Owen How can attacker know my scheme when I use PHP to encrypt them? – Naman Jul 01 '16 at 16:10
  • Maybe by your bragging about it on security.se :) – infixed Jul 01 '16 at 16:13
  • 3
    Don't try to make your own "smart-hashing-algorithms", people who have actually studied cryptography and it's complex math, have already done that for you. In most cases even open-source so multiple professional cryptographers have reviewed/improved it. Your implementation indeed won't really help. People will see quickly it's a mix of multiple hash-algorithms: length (MD5: 32 & SHA-1: 40) and a tool like Hash-Identifier will do the rest. – O'Niel Jul 01 '16 at 16:14
  • @NamanSood basically this a security through obscurity, it may be okay but as soon as someone discover the "trick" you will have only md5 security. Check this link https://stackoverflow.com/questions/533965/why-is-security-through-obscurity-a-bad-idea – Damien Jul 01 '16 at 16:17
  • 3
    @NamanSood An untrustworthy hosting company, a former employee, someone who steals your laptop with your source code, someone who guesses your SSH or FTP or other remote access password. Breaches happen to the biggest and best companies. There is no good reason not to use a tried and true password hashing function, especially when PHP has it built in for you. http://php.net/manual/en/function.password-hash.php – Owen Jul 01 '16 at 16:29
  • Actually it'll turn out to be a little worse than MD5. MD5 could have several collisions within your password space. Now an attacker can use SHA1 on the candidates to identify it or at least narrow it down (Not that trying a handful of candidates is a massive obstacle, but lets say he was trying to do it without any fails period) – infixed Jul 01 '16 at 16:46
  • 1
    @NamanSood maybe you want to improve the quesiton mentioning why you would want to do this and ask if one can suggest a better option. ex, if md5 and sha1 is the best you have availble in your programming environment, re-hashing the md5 with sha1 would be much better. – CristianTM Jul 01 '16 at 17:10
  • I don't think this is a duplicate of Why improvising your own Hash function out of existing hash functions is so bad, because that focuses on composition of hash functions while this one focuses on concatenation. The answer to this question will focus on security-through-obscurity while that question has answers focusing on details of hashing algorithms – Neil Smithline Jul 01 '16 at 21:20
  • Imagine you have a password: 123456 and you decide to split it in 2 like: MD5(123)+SHA(456), you may think your hash may be stronger as it uses 2 algorithms. However, it is weaker as to crack MD5(123) is much more faster than the whole MD5(123456). That applies to any combination of algorithms like Bcrypt(123)+Scrypt(456). So its better to stick to only one algorithm. – lepe Jul 02 '16 at 06:57

1 Answers1

6

No, the method you have provided is considered to be security through obscurity or

the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms.

and generally considered to be a bad idea.

CaffeineAddiction
  • 7,771
  • 2
  • 24
  • 42