Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Storing hashed passwords in MySQL

I'm creating hashed passwords using salted sha1 in PHP.

My question is: In MySQL what is the proper character encoding, field type & length to store the result?

Is there anything else in MySQL to consider for password security? Finally are SHA256 or SHA512 practical hashing choices?

like image 573
YsoL8 Avatar asked Feb 23 '10 16:02

YsoL8


2 Answers

The SHA-2 algorithms (SHA-256, SHA-512) are valid choices; however they require more storage. To store the hex digits for SHA-256, for example, you need a CHAR(64) field. There have been some questions about whether SHA-1 is "broken" Schneier discussed it and NIST commented. If those concern you, then it might be better to use one of the SHA-2 functions.

And if you want to increase the cost of a brute force attack, you might also consider adding some iterations using an algorithm such as PBKDF2. Someone posted an example here in the comments.

like image 166
Mark Wilkins Avatar answered Sep 29 '22 10:09

Mark Wilkins


For a SHA1 hash, CHAR(40) would be the optimal field type and length. Character encoding shouldn't matter much, all the characters are within the ASCII range. I'd go with the same character set as the rest of your database for consistency.

like image 25
Rexxars Avatar answered Sep 29 '22 12:09

Rexxars