Is it bad practice to store the hash function used as part of the hashed password?

Question

Using the php source code for hashing+salting at crackstation.net, the returned hash includes what hashing algorithm was used. I store the hash as returned from the create_hash function in my database. Is it bad practice to store this information? Will this give a hacker an advantage?

Answer 1

I think this is good practice. It means that if you upgrade your hashing function (to something more secure) new users will use the one new one immediately.

Now, you can't rehash users on the old hashing functions immediately, since you need their password to do that, and you can't retrieve it from its hashed state. Instead, when such a user logs in, you use their password to store a new hashed column, and reset the hashing function against their user account.

Thus, with such a configuration, users will slowly move onto the more secure system as they log in.

Answer 2

I wouldn't say it's a bad practice. The hash function can often be identified from the nature of the outputted hash (e.g. string length, etc.) so you probably wouldn't be telling an attacker anything they couldn't figure out from the hash anyways.