Hi, I don’t know much about cybersecurity, but I’ve learned a little bit in university and also seen some YouTube videos from Computerphile, Tom Scott and a few others about the topic and I have a question.
As I understand it, passwords should be stored in the form of a hash generated by some publicly known algorithm, and due to this even if a hash gets compromised someone can try to brute force a password with the knowledge of this hash generator and based on some list of frequently used passwords or by doing a dictionary attack.
Having this in mind, why don’t developers add something more to the hash, which is their creative idea undisclosed to the public. Let’s say a site generated a hash for “password123” which is “6hah618kpa9”. The developer could choose to for example change every second character of this hash to another character, with an ascii code incremented by 2 and every fourth character to have a ascii code 3 less than the charcater from the orginal hash. This would make it impossible for anyone not knowing this rule to ever generate any hash from the site.
Is my thinking correct or am I missing something? Are people actually doing something similar and I just don’t know about it?