mysql sha1 encryption for whole password column

Question

I have a table in phpmyadmin containing the username and password, but the password field isn't encrypted. I wanted to encrypt the whole column of the password field into SHA1 format. Any idea how to do so?

Answer 1

For today's security standards I would do:

1. Add 4 Fields to the table (Hash, Salt, Iteration, Algo)
2. Use This code from crackstation to Hash and Validate your passwords

Usage is very simple:

$plain_password="messi";

$hash=create_hash($plain_password);

$hash is an array with all the data you need to save to the database

array(4) {
  [0]=>
  string(6) "sha256"
  [1]=>
  string(4) "1000"
  [2]=>
  string(32) "wJnwu2uA4rVdW8Momz3CgS8W7MdEmaLH"
  [3]=>
  string(32) "0g2b0ZrpnObAx6z1L/8g8PPNbTG+92BI"
}

Save that to the DB and next time you have to retrieve those value as:

SELECT 
CONCAT(password_algo, ":" ,password_iteration,":" , password_salt,":" , password_hash)
FROM users WHERE userEmail='messi@argentina.com';

Use the string result in the validation function

validate_password($password_to_validate, $stored_hash_from_db)

If its valid you will get True, otherwise False.

Answer 2

First, please read How to securely hash passwords?.

Then you can look for a PHP PBKDF2, Bcrypt, or Scrypt implementation to use.

In the database, you'll want:

• A column for the salt - perhaps BINARY(16) for a 128 bit salt. See What is the correct way to make a password salt? - Adnan's answer in particular includes PHP functions, though if you use bin2hex, you'll need a CHAR(32) column for 32 hex characters (the same as 16 binary bytes).
• A column for the iteration count (work factor). INT UNSIGNED should work.
• If you insist on a single iteration (i.e. sha1(password)) this is no longer required, but you're not using a secure password storage mechanism. Don't do that.
• You could hardcode this, but then it's hard to increase it later. With a column, then you can have many different iteration counts/work factors in your database, and increase them transparently as users log in.
• For PBKDF2, start in the tens of thousands and work up. For all of them, increase until just below where you'll get complaints/be CPU bound with your expected growth. Increase when you buy new hardware.
• A column for the result hash itself.
• For PBKDF2-HMAC-SHA-1, BINARY(20) is the native size of SHA-1
• For PBKDF2-HMAC-SHA-512, BINARY(64) is the native size of SHA-512.
  • BINARY(20) would still be superior to the same 20 from PBKDF2-HMAC-SHA-1, since SHA-512 requires 64-bit operations that currently reduce the margin of superiority an attacker's GPU's have over your CPU.
• Or, for any of these CHAR(double the BINARY storage size) with bin2hex
• Never use an output size for PBKDF2 greater than the native hash size (listed above), or it's a free bonus to the defender.
• Optional: a column for the "version" of password securing you're using, so you can upgrade to another version later with easy. TINYINT UNSIGNED should work well, here.

If you'd really like (and it is NOT recommended), you could create a MySQL implementation of something like PBKDF2, and since MySQL 5.5.5 and up has a SHA-512 function, you can perhaps use a MS SQL Server PBKDF2-HMAC-SHA-512 impelmentation as an example, but be absolutely sure to verify it against known test vectors.

Answer 3

Don't even use SHA-1 hashing alone at this point, it is not considered secure enough by itself.

See the Password Storage Cheat Sheet from OWASP. You should be using a stronger cryptographic function in addition to salting the password with a unique salt for each user.

You can use PHP's password_hash() function which uses the bcrypt algorithm if you have PHP 5.5, or if you don't have PHP 5.5, you can use the PHP implementation by ircmaxell.

If you used just SHA-1 at this point, you may as well not even bother as most passwords in your database are probably already in an SHA-1 rainbow table.

To update your database, write a short PHP script to read each password from the database, apply the hashing function, and then update that row with the new hashed password. Then modify your register and login functions to use the new hash function when comparing an entered password to one stored in the database.

Answer 4

You should be salting your passwords as well: https://crackstation.net/hashing-security.htm

Answer 5

update mytable set password=sha1(password)

you should at least verify if the column definition is able to hold 40 characters, or you can worsen the situation.

I hope you are aware that from then on you should also rewrite your code to encrypt the password before sending and or comparing against the DB.