Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should password hash be stored in binary or hexadecimal number?

I usually store it in hexadecimal number but realize I could save half of the space if I store it in binary inside MySQL. Are there any issues I should be aware of if I decide to store it in binary?

like image 973
IMB Avatar asked Aug 08 '12 18:08

IMB


People also ask

How are password hashes stored?

Password hashing add a layer of security. Hashing allows passwords to be stored in a format that can't be reversed at any reasonable amount of time or cost for a hacker. Hashing algorithms turn the plaintext password into an output of characters of a fixed length.

Which hash function should be used for password storage?

To protect passwords, experts suggest using a strong and slow hashing algorithm like Argon2 or Bcrypt, combined with salt (or even better, with salt and pepper). (Basically, avoid faster algorithms for this usage.) To verify file signatures and certificates, SHA-256 is among your best hashing algorithm choices.

What data type is password hash?

Hashes are a sequence of bits (128 bits, 160 bits, 256 bits, etc., depending on the algorithm). Your column should be binary-typed, not text/character-typed, if MySQL allows it (SQL Server datatype is binary(n) or varbinary(n) ).

What type of data type would you use to store a password?

I would recommend a varchar. Now for size. NIST (in the U.S.) recommends sha-256 or higher. Since a hashing algorithm always produces a value of set length you will need 256 bits to store this sha-256 hashed password.


2 Answers

How many passwords are you expecting to store? Does half the space mean that much to you really?

You are probably representing the passwords in hexadecimal form in your application, so storing them in binary adds another layer of complexity and processing overhead when you perform any operations on those passwords.

My opinion is that you should store them in a way that is convenient for you to work with, rather than one that saves you tiny amounts of space.

Edit:

Going to make some assumptions and take the opportunity to help you a little further.

Since your passwords are in hex, I'm going to assume you're not using crypt, and if you're not, you should be. Worst case scenario, you're using md5... and god is killing kittens.

There's a lot of questions and answers about bcrypt on stack overflow already, so I'll not cover the information again here.

The question SHA512 vs. Blowfish and Bcrypt is a good place to start though.

Also have a read of a couple of @ircmaxell's blog posts on the subject:

  • Introducing PasswordLib
  • The Secure Programmers Pledge
like image 101
Leigh Avatar answered Oct 27 '22 13:10

Leigh


From a usability standpoint, it's probably best to store the hash as a hexadecimal. Storing them in binary means one more step is required to compare a plain text input to the stored password. It also has the potential to add a layer of confusion to anyone who make work on your project after you've moved on. "Why is this password stored in binary?"

like image 22
Stieffers Avatar answered Oct 27 '22 13:10

Stieffers