Is it overkill to encrypt an already hashed BCrypt password?

0
votes

I'm using BCrypt to hash my passwords on the server side. Before I store it in my MySQL database, would it be overkill to encrypt my hashed-BCrypt password or would storing the hash directly in the database suffice?

This website advises to encrypt passwords after hashing them:

As long as an attacker can use a hash to check whether a password guess is right or wrong, they can run a dictionary or brute-force attack on the hash. The next step is to add a secret key to the hash so that only someone who knows the key can use the hash to validate a password. This can be accomplished two ways. Either the hash can be encrypted using a cipher like AES, or the secret key can be included in the hash using a keyed hash algorithm like HMAC.

EDIT: I'm coding in Java. I'm trying to gauge whether the added layer of protection vs. speed performance of read & retrieval of passwords for user logins is worth it or not.

1
mysqlpasswordsbcrypt
What do you hope to gain by encrypting it?Luke Joshua Park
Are you using PHP?Raymond Nijland
@LukeJoshuaPark I'm trying to gauge whether the added layer of protection vs. the speed performance of retrieving the password to login for users is worth it or notJae Bin
@RaymondNijland JavaJae Bin
If you run the generating bcrypt method on the same password does you get different hashes.. in PHP this is the case meaning the PHP version is safe against bruteforce the hash attack to get the password. Verification happens in PHP with password_verify() to check if the password is correct.. Not sure how this works in Java because googling gives some different frameworks to use Bcrypt in Java...Raymond Nijland

1 Answers

1
votes

This would indeed increase security, but it is good to know what exactly you gain with encryption.

  • Encrypting the password-hash can protect weak user passwords from a dictionary attack, in the special case, where the attacker has read-access to the database (containing the hashes) but does not have access to the source code with the key/pepper.

This situation is not so uncommon as one would think, typical scenarios would be SQL-injection, thrown away backups, discarded servers...

To be able to brute-force for passwords one needs the server side key, which was used to encrypt the password-hashes. This means, being able to read the hashes from the database is not enough anymore, one needs additional privileges to read the key from the server. Getting privileges on the server is much more difficult than being able to read the database.

Crackstation is a good site for advice. At the end of my own tutorial about safely storing password I try to explain the details of this password-hash encryption.