2

I am aware of the implications that hashing something more than once correctly will increase the security of a system, but doing it incorrectly will decrease it, as noted here and on various other sources.

But I stumbled upon a feature of Keepass, where the password database is encrypted N times to increase the work factor for brute force or dictionary attacks. This part explains how it is done: Protection against Dictionary Attacks

While I think that I am aware of the implication of hashing several times I am unsure whether encrypting several times, as explained above, increases robustness of the database.

Disclaimer: I've read Keepass Dictionary Attack Protection Strategy

Community
  • 1
Samuel
  • 728
  • 5
  • 13

1 Answers1

1

It's a different scheme. Generally it is accepted that when using a password hashing algorithm, which is intended to be very slow, is acceptable. What KeePass is doing is very similar to what most hashing algorithms do, namely slowing down hash calculation.

Their way is not a standard way. Most password hashing algorithms, such as PBKDF2, scrypt and bcrypt can actually also be tuned in the number of rounds to be used as to increase workload.

The question about which is more secure has to be put into perspective. If you slow down the hashing as much as with their encryption scheme, then the security should be the same.

Lucas Kauffman
  • 54,437
  • 17
  • 116
  • 196