Is there a real difference (meaning does it have any added [security] value to do it this or that way) in storing password hash as varchar or a varbinary?
Passwords MUST be hashed. A password hash has different properties from a hash table hash or a cryptographic hash. Never use an ordinary cryptographic hash such as MD5, SHA-256 or SHA-512 on a password.
MD5 − It can use char(32) or BINARY(16). SHA-1 − It can use data type char(40) or BINARY(20).
The best security practice is not to store the password at all (not even encrypted), but to store the salted hash (with a unique salt per password) of the encrypted password. That way it is (practically) impossible to retrieve a plaintext password.
Hashing allows passwords to be stored in a format that can't be reversed at any reasonable amount of time or cost for a hacker. Hashing algorithms turn the plaintext password into an output of characters of a fixed length.
Not really.
Storing it as a varbinary
will allow you to use characters outside of your current codepage. You could avoid that by using nvarchar
over varchar
.
Storing it as varbinary
will also make the data present in a hexidecimal format, but this is really not any serious level of protection.
A good reason to store it in varbinary
would be that it is in fact binary data, not character data - but this has nothing to do with securing the data per se.
Your security will come form using a proper hashing algorithm and properly securing access to the database/table(s) in question, including ensuring that applications with the proper access levels parameterize their queries.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With