Reputation: 621
SHA-2 for Password storage in MySQL Database?
I've got a couple of questions around storing/retrieving passwords with MySQL / Visual Studio 2010 (VSTO Visual Basic). I hope they are straight forward!
SHA-2 QUESTION
I'm making a table using MySQL (through the PHPMyAdmin Interface) to store just two columns: User ID & Password. After reading through SO and a bunch of other resources it seems that storing the password using SHA-2 encryption and salting is a viable option. Is this correct?
VISUAL STUDIO 2010 QUESTION
I am building a VSTO project in Visual Studio 2010 and will be accessing the data in the table using Visual Basic - how can I encode a user-inputted password with the SHA-2 algorithm? I can't seem to find any 'current' guides on this process. I'd imagine I have to download/install an extension that can process the SHA-2 algorithm into VS2010. The process here is, I have a 'login system' built within Excel but I want to verify the username/password combination by comparing it to the already existing data in the MySQL table.
SALTING QUESTION
Also, Salting is HIGHLY recommended practically everywhere I read so I decided to use a random string like 's@w0s9w%$x" or something like that and obviously store this/use it every time I need to encode + match a password to the database. Is this secure enough? How would you use a different salt word for every user but keep track of this? Would you simple save the username/salt-word combination in another table and extract it later?
EDIT: Added more info!
Upvotes: 0
Views: 687
Answers (1)
Reputation: 34733
Don't try to create your own password hashing scheme. Instead use a well known one. Generally there are three options: Bcrypt, Scrypt, and PBKDF2. These are designed by security professionals, and have been around for a long time and have not been broken. Implementations are available for many languages.
For the salting question, you have the basic idea right. Usually the salt is stored with the password in the database. The salt is not considered to be a secret, but it should be unique for every user. Bcrypt hashes already contain the salt in itself, so you don't need to worry about that.
Related answer in security.se: https://security.stackexchange.com/a/6415/20774
A nice article on the subject of password hashing: http://crackstation.net/hashing-security.htm
Upvotes: 1
Related Questions
- How to fix Authentication method caching_sha2_password not supported by any of the available plugins in Visual Studio
- How do you securely store a user's password and salt in MySQL?
- Storing MySQL password as hash
- Password storage?
- sha256/salt password key storage
- Authenticating with hashed password?
- Hashing passwords for a login form in vb.net
- MySQL on Windows: Using SHA-2
- how to store password salt
- Storing hashed passwords in MySQL