7

For a password column, is there a mysql feature to store password hashed with "sha-256"? Or should I hash it from java code (like How to hash some string with sha256 in Java? ) before I store it in database and then hash the password input every time and compare with the database column value to authenticate?

TIA.

Community
  • 1
  • 1
Daemonthread
  • 443
  • 3
  • 9
  • 16

1 Answers1

15

You can convert the value to hex and use a char(n) column with the appropriate length - 64 in this case. The conversion can be done in MySQL by using the sha2 function with hash_length set to 256.

But for security reasons you should not store passwords hashed using SHA-256.

Instead use bcrypt or PBKDF2.

Related

Community
  • 1
  • 1
Mark Byers
  • 811,555
  • 193
  • 1,581
  • 1,452
  • 2
    @Mark Byers What are the security reasons to not use SHA-256? Can you cite something backing up this statement? – Tom Mar 14 '16 at 14:36
  • 4
    @Tom: bcrypt and PBKDF2 both use [key stretching](https://en.wikipedia.org/wiki/Key_stretching) which means that the password is still relatively secure even if it is a weak password. SHA-256 has no such feature. There's a good discussion about it for example here: http://security.stackexchange.com/questions/52041/is-using-sha-512-for-storing-passwords-tolerable – Mark Byers Mar 14 '16 at 16:11
  • @MarkByers Thanks! – Tom Mar 14 '16 at 17:54