Menu
Is there a real difference (meaning does it have any added [security] value to do it this or that way) in storing password hash as varchar or a varbinary?
509
Passwords MUST be hashed. A password hash has different properties from a hash table hash or a cryptographic hash. Never use an ordinary cryptographic hash such as MD5, SHA-256 or SHA-512 on a password.
MD5 − It can use char(32) or BINARY(16). SHA-1 − It can use data type char(40) or BINARY(20).
The best security practice is not to store the password at all (not even encrypted), but to store the salted hash (with a unique salt per password) of the encrypted password. That way it is (practically) impossible to retrieve a plaintext password.
Hashing allows passwords to be stored in a format that can't be reversed at any reasonable amount of time or cost for a hacker. Hashing algorithms turn the plaintext password into an output of characters of a fixed length.
Not really.
Storing it as a varbinary will allow you to use characters outside of your current codepage. You could avoid that by using nvarchar over varchar.
Storing it as varbinary will also make the data present in a hexidecimal format, but this is really not any serious level of protection.
A good reason to store it in varbinary would be that it is in fact binary data, not character data - but this has nothing to do with securing the data per se.
Your security will come form using a proper hashing algorithm and properly securing access to the database/table(s) in question, including ensuring that applications with the proper access levels parameterize their queries.
182
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
