January 24, 2021

A noob question about password storage

Hi, I don’t know much about cybersecurity, but I’ve learned a little bit in university and also seen some YouTube videos from Computerphile, Tom Scott and a few others about the topic and I have a question.

As I understand it, passwords should be stored in the form of a hash generated by some publicly known algorithm, and due to this even if a hash gets compromised someone can try to brute force a password with the knowledge of this hash generator and based on some list of frequently used passwords or by doing a dictionary attack.

Having this in mind, why don’t developers add something more to the hash, which is their creative idea undisclosed to the public. Let’s say a site generated a hash for “password123” which is “6hah618kpa9”. The developer could choose to for example change every second character of this hash to another character, with an ascii code incremented by 2 and every fourth character to have a ascii code 3 less than the charcater from the orginal hash. This would make it impossible for anyone not knowing this rule to ever generate any hash from the site.

Is my thinking correct or am I missing something? Are people actually doing something similar and I just don’t know about it?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.