Home/ Questions/Q 8447321
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T10:09:17+00:00

I remember reading about a scheme where the process of checking a password went

  • 0

I remember reading about a scheme where the process of checking a password went like this:

  1. given (hash, salt) in a database,
  2. hash password with salt to check against the hash,
  3. hash password with old hash as salt,
  4. store (new hash, salt a.k.a. old hash) in the database.

I can’t find the original source. In any case, I don’t understand

  1. what the advantage is of using the old hash as the salt (as opposed to using a random salt),

  2. what the advantage of this scheme is in general (further complicating rainbow table attacks?), and

  3. if there is an advantage, how one would apply the scheme using PHPass, since the salt seems to be managed “within” PHPass…

Intuitively, I think this scheme would do nothing at best, or worsen security at worst (due to a dependency on a past value), but password security is one area where I don’t trust my intuition. Please enlighten me.

EDIT:

I’m asking about re-hashing the password on each check. These similar questions do answer the first question—that using a hash as a salt is useless—but not whether it’s useful to re-hash on each check:

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I am no security expert, but to answer #1 there is no advantage. All it does is complicate things further.

    Just use a good randomly generated salt,
    Like you said, PHPPass handles it internally, and PHPass is considered an extremely good tool as it has been reviewed by many security experts.

    • 0