Password Hashing Technique

I know it's a good practice to salt and pepper passwords when storing them in a database, as well as hashing them several times. However tonight I was thinking about a different way to store passwords in a database.

Basically it just takes a random number, in the case for the example it's between 10,000 and 20,000. It then hashes the password based on the random number that is generated and then it would store the password AND the random number in the database.

I didn't add any salt or pepper to the password since this is really just added security but would this be an effective measure? I know that if a hacker got into the database they could see how many times the password is hashed, but they would have to hash their library based on how the original number that was created at registration.

Or when storing the number in the database you could add a number to the random number and at login you could subtract that same number so the actual number of hashes aren't stored in the database.

Anyway I'm just looking for some input on this idea, code example below.

$hashed = rand(10000, 20000);
$password = "SomeRandomPassword";
$i = 0;
$hashedPassword = "";
for($i = 0; $i <= $hashed; $i++)
$password = hash('sha256', $password);
When writing the hashed password to
the database also write the random
number so at login the random number
can then be called.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!