0

I use bcrypt to hash and store user passwords, and then again to generate unique access tokens, both of which are salted.

In the first case, I simply hash the password + a salt (one randomly generated salt per user) In the second case, I hash, with a unique and randomly generated salt, a concatenated string consisting of the user's username, their password, an autoincrementing integer (so the user can have multiple access tokens).

By including the password in these two hashes, am I making it any easier for a potential attacker with knowledge of the username and auto-incrementing integer and both hash values to guess the user's password?

  • Perhaps better suited to https://crypto.stackexchange.com/ – lhf Jul 01 '22 at 16:43
  • Security of password hashing algorithms are only relied on the secrecy of the password. Adding any known values should not reduce the security. One needs a password with a strength, nothing more! – kelalaka Jul 04 '22 at 20:23

0 Answers0