Menu
All,
I am using the following PHP function to salt & hash user passwords for a web app:
function stringHashing($password,$salt){
$hashedString=$password.$salt;
for ($i=0; $i<50; $i++){
$hashedString=hash('sha512',$password.$hashedString.$salt);
}
return $hashedString;
}
What is the best way to store the resulting string in MySQL? I suppose it is a fixed CHAR field? How should I go about calculating the right length?
Thanks,
JDelage
805
The Salted SHA512 Password Storage Scheme provides a mechanism for encoding user passwords using a salted form of the 512-bit SHA-2 message digest algorithm.
The easiest way is to put the salt in front of the password and hash the combined text string. The salt is not an encryption key, so it can be stored in the password database along with the username – it serves merely to prevent two users with the same password getting the same hash.
To stop them from precomputing hashes, the salt should be stored in the database, so they can't get it before getting the hashes themselves, which means they need a lot of time to break the hashes after they compromise the database, which gives you a chance to change passwords before they get access.
Since the whole purpose of a salt is to prevent password attacks with precomputed tables (e.g. rainbow tables), storing the salt along with the hashed password is actually harmless.
Well, SHA512 will always return a 512 bit hash, the two-argument hash() method returns this as hex digits, so that's 512 bits / 8 bits per byte * 2 hex digits per byte = 128 hex digits
A CHAR(128) should be what you need
144
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
