I was wondering if I use PHP's hash() function to generate sha512 hashes how would my MySQL table field look like in-order to be capable of holding the hashed password.
Here is my current MySQL password field layout
char(40)
MySQL uses passwords in two phases of client/server communication: When a client attempts to connect to the server, there is an initial authentication step in which the client must present a password that has a hash value matching the hash value stored in the user table for the account the client wants to use.
SHA-512 is a fast hash not well suited to storing passwords, hashcat can do 414 million SHA-512 hashes per second, so if a password is common it will be broken in less then a second.
MySQL server uses the PASSWORD function to encrypt MySQL passwords for storage in the Password column of the user grant table. The value returned by the PASSWORD function is a hashed string, or NULL if the argument was NULL. The PASSWORD function accepts one parameter which is the string to be encrypted.
Don't use sha256crypt or sha512crypt; they're dangerous. For hashing passwords, in order of preference, use with an appropriate cost: Argon2 or scrypt (CPU and RAM hard) bcrypt or PBKDF2 (CPU hard only)
A sha512 hash is represented as a 128 characters-long string.
For example, the following portion of code :
$sha512 = hash('sha512', "Hello, World!");
echo strlen($sha512);
Will give this output :
128
Which means your char(40)
is far too small, and that you should use a char(128)
.
Another solution would be to store it in a binary form, and not a string -- which would mean 64 bytes.
But note it might be harder to deal with that representation, in some cases, I suppose.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With