{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 放我归山 的问题《Double hashing security》','https://www.manongdao.com/q-401486.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
My first question is, I've heard that hashing the string 2 times (e.g. sha1(sha1(password)) ), because the second hash has a fixed length, is it true??
My the second question is, which is safer? (var1 and var2 are 2 strings):
- sha1(var1 + sha1(var2))
- sha1(var1 + var2)
If it is the 1st one, is it worth the performance cost?
Hashing a string multiple times will complicate the task of the attacker in case of a dictionary attack, making it "much longer" to brute force. Your first question is not clear, but multiple hashes are not less secure because the second hash has a fixed length.
But more important than a multiple hash, the use of a salt is essential for a better security.
Concerning your second question, I would say that it is not very straightforward to say which of the 2 is the safest, I think going with the option 2 is really enough.
My feeling about this is that you're building a brick wall with a steel door, but the other walls are made of plywood. In other words, you can inject as much security as you want into hashing passwords, but there are still going to be much easier ways to crack your system. I think it's much better to take a broad approach to security instead of worrying too much about things like this.