Hashing in phpMyAdmin

Question

I have a mySQL database and I am using phpMyAdmin to access it. The database has table employees with fields like name, address, email and password.

Initially the password field was just VARCHAR (20). But now I want to hash my password with SHA-256 hashing technique.

I do not have much experience with databases so I want to know is -

1. can I hash all my current employees passwords without affecting the other fields or the entire table?

2. In future when I am entering data in the database (from a web application), where do I write the hashing function to hash the password? i.e. does the hashing occurs at the front end and then the hashed password is stored in the DB or the password goes to the DB where it is hashed and then stored.

Solution and Suggestions are appreciated.

Answer 1

Q1: Can I hash all my current employees passwords without affecting the other fields or the entire table?

A: Yes. But you need to alter the size of your column of the password by 40-42. You will use the PASSWORD( ) built-in function to encrypt your password

ALTER TABLE tableName MODIFY `password` VARCHAR(42); 

after that you can now update the password column

UPDATE tablename
SET     `password` = PASSWORD(`password`);

ex.)

abcde12345 => *20B30AFAF441808B50273EDA287132EC25B02DE2

Q2: In future when I am entering data in the database (from a web application), where do I write the hashing function to hash the password?

A: In your INSERT query

INSERT INTO tableName (name, address, email, password) 
VALUES ('aa','bb',''cc,PASSWORD('abcde12345'))

when you want to search for the password, encrypt first the text:

SELECT *
FROM   tableName
WHERE `password` = PASSWORD('abcde12345')

one more thing, don't forget to escape your Password column with backtick since it is a MySQL Reserved Word.

Answer 2

can I hash all my current employees passwords without affecting the other fields or the entire table?

Yes. For example, if you’re going to use the SHA-1 hashing function, you can add the corresponding column and hash all your passwords with one query:

alter table employee add column password_hash varchar(40);
update employee set password_hash = sha1(password);

It is assumed that your plain text password column is called “password”. You can drop the original column after you have the hashes, of course (and, most likely, this is exactly what you want to do next).

However, I strongly advice you to read more on hashing algorithms and pick something better. For example, you may want to use a different hashing function and/or add salt.

In future when I am entering data in the database (from a web application), where do I write the hashing function to hash the password? i.e. does the hashing occurs at the front end and then the hashed password is stored in the DB or the password goes to the DB where it is hashed and then stored.

Most commonly, the hashing occurs on the server side each time a user logs in. Then an authentication session is created and the session ID is stored in the user’s cookies (so you never store the password or it’s hash on the client side, however, you transmit it to the server when the user logs in, and this is why it is good to use SSL at least for authentication).

In some cases, you may want to even build a separate authentication backend which only accepts password hashing requests (so even if someone cracks into your system, the exact hashing schema would be still secret until they crack the hashing backend as well, which can be a lot harder if it’s built carefully enough). However, you would only need something like this in case you really care a lot about the security and it is really important. Otherwise the typical server side hashing will be enough.

Answer 3

You can hash the password in php and then store it in the DB:

$pwd = hash('sha256',$_POST['password']);

MySQL does not support sha256 function so you need to hash by code and then store/update your password table. Otherwise you can consider this http://stuge.se/mysql-sha256/