php - Does rehashing a randomly salted password at login increase security? -

i working on project in php, , wondering how make system secure possible. using password_hash hash passwords , store them in database. wondering: rehashing , re-saving new salted hash database increase security, or illusion?

i don't think increase security, no. have 2 risk scenarios:

• the cracker breaks server , stays there time undetected. in case, passwords can captured programmatically, users log in. requires less effort brute-forcing strong hash algorithms.
• the cracker breaks in, steals copy of database, , in response sysadmin plugs security hole , restores server backup quickly.

in second case, cracker has set of usernames, email addresses , hashed passwords, may wish try brute-forcing. there no advantage had if these hashes created once or thousand times.

it's worth remembering we're trying guard against here. if security of website has been breached, there knock-on effect users have used same username/password combination @ other popular services. major reason hashing, , purpose attacker has in brute-forcing passwords, see if users can hacked elsewhere (for example social media or bank accounts).

this why recommend people should not re-use passwords, , instead should use strong passwords stored in password manager. better if people can use different username and/or different email per service. incidentally, surprisingly easy use email per service: if on gmail address of gmail.alias@gmail.com, this:

gmail.alias+randomcode@gmail.com 

the email should of course stored in password manager - if forget this, not able use password reminder features, , locked out unless service willing accept other proof of identity. despite that, approach stronger against ripple effect of using service breached - weak password reminder system elsewhere harder exploit if users use different email addresses.

users own domain name can similar - set email account "catch all" , use whatever aliases like.