Is it more secure to refresh hashed passwords occasionally?

0
votes

I am learning about salt and hashing passwords. I have a node app that integrates with a SQL database. I am using the bcrypt node middleware to create hashed and salted passwords to store in my database. I've read up on how its not necessarily to make passwords expire except for a security threat...but what about hashes of the password?

In my perspective, wouldn't it make it more secure to randomly update every user's hashed password every week or so? The passwords would remain the same, but the server would generate and store a new hash.

If someone were to attempt to attack my website or the database, would having hashes randomly change help security?

2
securityhashpasswords

2 Answers

1
votes

No, it does not help at all. It doesn't matter whether the hashes change or not -- the passwords are still the same and hence the attacker can still launch a password search attack on the database he discovers regardless if it is the current one or not.

Kudos to you for using bcrypt and understanding how password expiry policies are virtually useless. For your information, NIST is providing new guidance on password security, and the good news is that a lot of irritating old things such as password expiry and requiring combinations of special characters are being dropped. Thank goodness logic is starting to prevail over the pile of rubbish password policy recommendations that have been forced upon too many people over the last decade.

0
votes

It would not help because the underlying algorithm remains the same. In a case where a hacker receives a list of hashed passwords, she can brute force the hashes with known algorithms and guessed salts against a word list in plain text. When the algorithm and guessed salt equals the plain text, the password is cracked regardless of the resulting hash.