javahashalgorithm

Will this method make sha256 harder to crack?


Will this method make sha256 harder to crack?

 public byte[] hash(String password) throws NoSuchAlgorithmException {
     MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
     byte[] passBytes = password.getBytes();
     byte[] passHash = sha256.digest(passBytes);
     for (int i = 0; i < 10; i++) {
         passHash = sha256.digest(passHash);
     }
     return passHash;
 }

Solution

  • What you have there is called key stretching and it will make the SHA harder to crack. The basic process is to slightly increase the work that the server does in order to massively increase the work that any attacker must do.

    This is effective because the server is deriving the hash from a known plaintext input, while the attacker is making many many guesses at what the plaintext must be. This means that the server stretches the key once while the attacker must do it many times.

    You can read more about this technique here. Some hashing algorithms, such as bcrypt, are always assumed to involve multiple rounds like this.