Password-hash proofing SHA-3 – Information security stack exchange

It's worth adding Argon2 as a dependency. Or bcrypt if you can not use optimized Argon2 and you can avoid all the ways bcrypt allows you to shoot yourself in the foot. If you do not have a good option left, then have an additional consideration to not allow humans to choose their own passwords.

Losing entropy through repeated hashing is not something you should worry about unless you truncate the hash output between iterations or if you use a really bad hash function. It is not a problem for a safe function with large output. Only when two different passwords lead to chains of hashes that merge will you lose something. In other words, only when you have an accidental collision.

Using an RNG to generate a new entry is completely unnecessary. The output of cryptographic hashes is equally random, whether you use random or non-random appearance entries. It could make things worse if someone could use an optimized hardware implementation while using a slower software implementation. You are safe making things worse if there is an error in the implementation or the seed is reduced to say, a 64-bit number.

Your specific method can allow a time memory exchange. Some candidates in the password hash contest, including Argon2, were designed so that you can not meet half the memory requirement if you are only willing to half the speed. (Scrypt allows you to make such concessions and that problem was one of the motivations to look for a better algorithm). You might think that doubling the computation time is not worth saving memory, but in the end you may end up with higher performance, less energy consumed, or less cost if you can buy cheaper or more efficient low memory hardware and do more operations in parallel.

Whichever algorithm you might find would probably be, at best, competitive with PBKDF2. (PBKDF2 is not excellent, but it is simple enough to implement if it already has a hash function).

If you use PBKDF2 or something similar, you probably should not use SHA-3. SHA-3 hashes can be calculated quite efficiently, but it is relatively slow in CPUs. That could benefit password crackers if they could use faster and more efficient implementations. It would be better to use SHA-2-512, actually. O Blake2.