• caglararli@hotmail.com
  • 05386281520

Two different salted hashes of the same password for the same user

Çağlar Arlı      -    37 Views

Two different salted hashes of the same password for the same user

I am creating an authentication system that is able to login to the same account with different sets of credentials. I also want to allow users to login with either username or email with the same given password. To make it a little easier, I'm thinking of making the username and email a different record in the database with a different salt thus a different hash. Since this would be the same for all users, a compromised database would let the attacker know that two different hashes are derived from the same password.

Q: Does this knowledge weaken the derived password (even a bit)? Or is it better to use the same salt on the same password for one user (which would just be a copy of hash+salt)?

Note: I understand that storing two hashes with different salts of the same password is perfectly fine – that is why salt is used. But here the attacker gets a hint for the derived password. So https://security.stackexchange.com/a/269416/292328 doesn't answer my question.