[jsn]

Password hashing is used to prevent the brute forcing when the attacker already has the copy of the password database, and is free from any failed attempt limits and timeouts. And in this case storing hashes of all 3-letter combos is basically useless, since all those hashes are very easy to bruteforce.

[taneq]

Ah ok, so you're starting from the assumption that the site has already been owned and the attacker has the hashed passwords. In which case yes, it does make it easier.

[cosecantt]

Can't it be achieved by this simple steps? Consider ur password is y. a) f(y, i) = a func that gets i'th character of a pass. y; b) hash(x) is ur hashing func; c) x0 = hash(y); d) concat(a, b) - concatination func; 1. x1 = hash(concat(f(y,1), x0)); 2. x2 = hash(concat(f(y,2)+x0)); . . etc

Store in DB id position hash user_id 1 0 x0 1 2 1 x1 1 3 2 x2 1