Hacker News new | past | comments | ask | show | jobs | submit login

No. The database only contains the double hash. It still needs to be bruteforced.

There is zero downside to doing an extra hash, except the chance that someone codes such a basic thing wrong.




No. Other websites on the internet, where the user also registered with the same email and password, contain the single hash.


Oh, I see. Other websites give you the 'password' to this website.

But only if neither site uses salt, so salt all your hashes. (Not even a salt is necessary here, just a site-wide addition would be fine. Or honestly you could just use a hash that wouldn't be used by a site too dumb to salt their database.)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: