9

I'm creating hashed passwords using salted sha1 in PHP.

My question is: In MySQL what is the proper character encoding, field type & length to store the result?

Is there anything else in MySQL to consider for password security? Finally are SHA256 or SHA512 practical hashing choices?

ahockley
  • 3,696
  • 24
  • 26
YsoL8
  • 2,186
  • 5
  • 29
  • 47

2 Answers2

12

The SHA-2 algorithms (SHA-256, SHA-512) are valid choices; however they require more storage. To store the hex digits for SHA-256, for example, you need a CHAR(64) field. There have been some questions about whether SHA-1 is "broken" Schneier discussed it and NIST commented. If those concern you, then it might be better to use one of the SHA-2 functions.

And if you want to increase the cost of a brute force attack, you might also consider adding some iterations using an algorithm such as PBKDF2. Someone posted an example here in the comments.

Mark Wilkins
  • 40,729
  • 5
  • 57
  • 110
  • "To store the hex digits for SHA-256, for example, you need a CHAR(64) field." Can you explain this? Thanks. – JDelage Jun 02 '11 at 21:38
  • 2
    @JDelage: I was just referring to the number of hex digits required to store it. The output is 256 bits => 32 bytes => 64 hex digits. If storage were an issue, it could be stored in some kind of raw/binary field type in 32 bytes. – Mark Wilkins Jun 02 '11 at 22:19
5

For a SHA1 hash, CHAR(40) would be the optimal field type and length. Character encoding shouldn't matter much, all the characters are within the ASCII range. I'd go with the same character set as the rest of your database for consistency.

Rexxars
  • 1,167
  • 8
  • 10