Double hashing security

My first question is, I've heard that hashing the string 2 times (e.g. sha1(sha1(password)) ), because the second hash has a fixed length, is it true??

My the second question is, which is safer? (var1 and var2 are 2 strings):

sha1(var1 + sha1(var2))
sha1(var1 + var2)

If it is the 1st one, is it worth the performance cost?

Solution

By hashing the string twice, you are increasing the risk of collisions, which is bad security-wise.

Instead of having an infinite amount of inputs leading to 2¹²⁸ possible outputs, you will have 2¹²⁸ possible inputs leading to maybe less than 2¹²⁸ outputs.

Using salt and pepper before hashing at least keeps the input to infinite possibilities. Hashing twice increases the run time of your script, and increases the risk of collisions, unless you maintain the source of infinite input.

Limiting the scopes of an OAuth 2.0 flow
How can I tell password managers what pattern to use?
Protecting against MitM (https) seeing password with encryption using included pub. key in iOS/Android app
How to run a Trivy scan on Windows?
Why are iframes considered dangerous and a security risk?
Vulnerabilities in spring-webmvc-5.3.39 to 5.3.40
Limit GraphQL Queries by Breadth
Securing a UDP connection
Cross Domain Form POSTing
How is PHP's mt_rand seeded?
Customize android app preview when it is in background with secure flag
Can a client-side login be safe?
How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
Amazon Web Services : Setting S3 policy to allow putObject and getObject but deny listBucket
How to validate if a URL is an Okta domain?
How to make Google Analytics respond to "Do Not Track"
My Vercel API tokens leaked on GitHub. How do I regenerate them?
Implementing Custom Expression Handling with Spring Security 6
What are the security concerns for JSF?
App attestation failed with Firebase App check in release on Android
SQL Server returns error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." in Windows application
When should I use the deny access functions in Symfony 4.4 controllers?
Install two traefik ingress controller on same kubernetes Cluster
Logon events from within credential provider
How to give access to my API for a mobile app?
How to verify a JWKS's integrity and authenticity
Changes in the front-end (Vue.js) part of the PatrolHears project (open source code)
ECPrivateKey to ECPublicKey without BouncyCastle
What TargetName to use when calling InitializeSecurityContext (Negotiate)?
java.security.NoSuchAlgorithmException:Cannot find any provider supporting AES/ECB/PKCS7PADDING