Skip to content

Instantly share code, notes, and snippets.

@MadaraUchiha
Created October 13, 2015 17:57
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save MadaraUchiha/041a886e1bf27da5373c to your computer and use it in GitHub Desktop.
Why double hashing is bad

The woes of double hashing

What is a hashing function? A hashing function is a function that takes arbitrary input, and returns output with a uniform size (oversimplification, I know). What does this mean? Here's my hashing function:

function myHash($input) {
    return $input[0] === 'A' ? "1" : "0";
}

This hash function accepts any sort of string input, and returns an output of a uniform size. Either 0 or 1.

That's not a very good hashing function. It's too easy to find collision (in fact, "0" would be the output of nearly every string you fit in there).

So what does double hashing do?

md5(myHash($something)); // What will this do?

Well, there are only two possible outcomes, either it's the MD5 of "0" or it's the MD5 of "1". So the same problem exists, there are too few possible options. So hashing the result of a hash with a different hash function, doesn't help with getting things more secure. md5 alone would have been much more secure than combining md5 with myHash.

Given all that, password_hash() provides a much better hashing algorithm than md5(), and by doubling the hash, you removed a lot of the "betterness".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment