Is “double hashing” a password less secure than just hashing it once?

Question

Is hashing a password twice before storage any more or less secure than just hashing it once?

What I\'m talking about is doing this:

$hashed_password         


        

Answer 1

Double hashing makes sense to me only if I hash the password on the client, and then save the hash (with different salt) of that hash on the server.

That way even if someone hacked his way into the server (thereby ignoring the safety SSL provides), he still can't get to the clear passwords.

Yes he will have the data required to breach into the system, but he wouldn't be able to use that data to compromise outside accounts the user has. And people are known to use the same password for virtually anything.

The only way he could get to the clear passwords is installing a keygen on the client - and that's not your problem anymore.

So in short:

1. The first hashing on the client protects your users in a 'server breach' scenario.
2. The second hashing on the server serves to protect your system if someone got a hold of your database backup, so he can't use those passwords to connect to your services.