04-30-2016, 09:35 PM
I've moved this to the General Talk forum since this has nothing to do with hashcat.
No, this is not a strong way to hash passwords. SHA2 is cryptographically strong, but is not appropriate for password storage because it is way too fast. You can create a fairly secure password storage function using SHA2 if you were to salt and iterate it; however, in your example above, you are only using 3 iterations and it is unclear if you are salting, so this scheme would be extremely weak.
Never never never design your own password hashing function. Always use a proven password hashing scheme designed by people who know what they are doing.
For decent examples of iterated & salted SHA2-based schemes, see sha256crypt and PBKDF2-HMAC-SHA256 (32-bit), or sha512crypt and PBKDF2-HMAC-SHA512 (64-bit.) However, note that SHA2 is very amenable to acceleration and thus has a fairly high Attacker-Defender Ratio (ADR), so neither sha*crypt nor PBKDF2 are really the best choice for password hashing. It is much better to use a memory-hard password hashing function such as bcrypt or scrypt, or the new Argon2 or yescrypt schemes when they are finalized.
No, this is not a strong way to hash passwords. SHA2 is cryptographically strong, but is not appropriate for password storage because it is way too fast. You can create a fairly secure password storage function using SHA2 if you were to salt and iterate it; however, in your example above, you are only using 3 iterations and it is unclear if you are salting, so this scheme would be extremely weak.
Never never never design your own password hashing function. Always use a proven password hashing scheme designed by people who know what they are doing.
For decent examples of iterated & salted SHA2-based schemes, see sha256crypt and PBKDF2-HMAC-SHA256 (32-bit), or sha512crypt and PBKDF2-HMAC-SHA512 (64-bit.) However, note that SHA2 is very amenable to acceleration and thus has a fairly high Attacker-Defender Ratio (ADR), so neither sha*crypt nor PBKDF2 are really the best choice for password hashing. It is much better to use a memory-hard password hashing function such as bcrypt or scrypt, or the new Argon2 or yescrypt schemes when they are finalized.