3

I have an encryption method that has the following behavior: each character of the password is put through a method that gets the ASCII value of that character and shifts the bytes one way, and then the other way, and returns the following:

$shifted_left.$original_char.$shifted_right.

An example of a password before it is hashed:

àp8Âa0æs9æs9îw;Þo7är9Èd2Îg3Þo7Êe2æs9Ðh4Êe2är9Êe2d2

After this, the resultant string formed from going through each character in the original password is hashed using BCrypt. Does surrounding the passwords with these junk characters improve the strength of the passwords or protect them from being cracked via rainbow tables/dictionary attack?

Improve this question
6
  • As far as I know, (SHA1||SHA256)+Salt is pretty strong and currently recommended. Commented Jul 12, 2012 at 7:03
  • @Ron Not exactly, specifically for password hashes you want an algorithm that is slow, like Blowfish. SHA is specifically a fast algorithm, so if you're using it, you should at least stretch it significantly. Commented Jul 12, 2012 at 7:07
  • 2
    if someone knows this "pre-hashing" algorithm, he could compile a rainbow table just for you. Does it improve the strength? Yes. Does it completeley protect you? no. Commented Jul 12, 2012 at 7:07
  • @Roman What a nice terse answer .. Commented Jul 12, 2012 at 7:09
  • @deceze: SHA/MD5-like hashing and Blowfish-like-encryption are 2 different things. Hashing is not really about speed (if you dont mind the buildspeed of a rainboxtable of course), but about being unable to decode the hash. What you does with the bit-shifting is (in theorie) the same you do by adding a salt to an unshifted string. Salting makes it impossible to build rainbowtables. You just have to use very random salts... Commented Jul 12, 2012 at 7:13

2 Answers 2

Reset to default
3

Generally yes, it does prevent pre-computed rainbow tables, since you have a rather unique algorithm that probably nobody has bothered creating a rainbow table for.

But, the same password still hashes to the same hash. So an attacker trying to brute-force all your password hashes has an easier time because he only needs to crack the same password once for all users.

Therefore, it is still very advisable to use user-specific salts. And if you're using user-specific salts with an already strong hashing algorithm, it doesn't really matter whether you also do the bit shifting dance or not.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

True.. but, since the password being hashed isn't actually the password, but the jumbled string, doesn't that mean if they were to attempt a brute force attack, they wouldn't be able to actually crack any of the passwords since the real password isn't stored?
When an attacker break in your server (or wherever your code is), he/she know how you build you hash-string. There is no magic, so an attacker can brute-force the hashes very soon...
@SHH If they'd attempt to brute-force your data, they'd need to know your particular algorithm anyway. It's not really possible to tell from looking at a hash what algorithm was used. If your database is compromised so that your hashes are leaked, simply assume that the algorithm is leaked with it since the attacker has access to your server.
2

If the attacker has control over database and code, adding scrambled characters will help nothing at all (only a negligible operation more). If he has only the database without code (SQL-Injection), then he will recognize the bcrypt hash and can now brute force with bcrypt, but because of the scrambling there aren't any weak passwords. It's like the scrambled text would be the password to crack, so a dictionary is of no use.

This is security by obscurity, but will be effective as long as the code is not known. You can get the same effect easier, by adding a fix hard coded salt (key), before using bcrypt with the unique salt.

P.S. The unique salt used in bcrypt will help against rainbow tables, not the scrambling of your password. A big rainbow table can also contain random combinations like your scrambled password.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.