I recently practiced my Tek13 presentation at my SDPHP user group. What I really like about user groups is the interaction and discussion that often ensues about the given topic. At the time, one of the members asked me about trying to outdo your adversary with what amounts to “Security by obscurity”. He was asking about MD5 hashing multiple times to throw off an attacker. My response was not a good enough reason, but it was the best I had at the time, which was “it’s not a good idea, it won’t do you any good.”
After thinking about it, I have a good reason why now. I will try to put it into words here.
First, security algorithms are all about best practices and trusting the experts. Meaning, everything we use today is open source and has been tested by the brightest. Encryption algorithms are very hard to understand, so we shouldn’t try to do it ourselves.
Now for the real explanation. Hashing just gives us a value, also called a digest. At the end of the day, at least when it comes to passwords, attackers just want access to the system, not necessarily the password. Sure, they would love to have that as well, but it’s not necessary. Attackers can also rely on hashing collisions to give them access. Let me try to demonstrate.
A hash collision is when two different strings give you the same digest. So trying to secure your passwords by obscuring the method used, doesn’t really help you here. All I need to do is find any string that when hashed gives me the proper value.
In the end, follow best practices and use bcrypt now. Don’t try to make md5 or sha1 work for you in this scenario. Trust the experts… rolling your own is a bad idea in this area.