Reproducing PHPs hash_hmac functionality in MYSQL

Question

I'm creating a more secure user password table with the username, a strongly random salt, and a salted/hashed password in php like so:

$salt = bin2hex(openssl_random_pseudo_bytes(64));
$pass = hash_hmac('sha512', $plainTextPass, $salt);
$this->user->password = $pass;
$this->user->salt = $salt;
$this->user->save();

I'm trying to reproduce this functionality in MySQL without much luck. I need to create some users when the DB server is deployed from a script. As I understand it the hash_hmac method just takes the salt, appends the password to it, then hashes it with sha 512. Seems like this would be easy enough to do in MySQL, but this:

INSERT INTO `users` (`email`, `username`, `password`, `salt`) 
VALUES('test@example.com', 'admin', SHA2('9d1ebf3559baf9ffca61df5cec0b9eb067ae7912d097ad45f3a3086c39bf11292d92a7dfad497557fac7fbf7c24209db8b7696664d54c7e6bc55f720121bd38dadmin', 512), '9d1ebf3559baf9ffca61df5cec0b9eb067ae7912d097ad45f3a3086c39bf11292d92a7dfad497557fac7fbf7c24209db8b7696664d54c7e6bc55f720121bd38d');

In this case the salt is just a hard coded one I generated manually, and you can see I just append the password "admin" on to the end of it for the password field. This user creates, but I can't login with that admin username and password.

Should I be doing this a different way in MySQL?

Answer 1

An HMAC is not computed by concatenation, but as follows (see the link for more details).

HMAC (K,m) = H ((K ⊕ opad) ∥ H ((K ⊕ ipad) ∥ m))

However, as the name implies, it is a message authentication code, not a password hashing scheme. An algorithm that is designed for password hashing would be a better choice. scrypt, bcrypt, or PBKDF2 would be a good bet.