SHA256 / SHA512: MySQL Code for Password Hashing and Salting

Question

I need some help understanding how to hash and salt passwords for users in SQL using SHA256 or SHA512. I think for each user I have to generate a different salt? How do I check the password at login and update and existing password in MySQL?

I used this resource to do some research on implementation but it only shows Java code, how do I do this in MySQL? Would this be done in a stored procedure?

Thanks

Answer 1

I am no authority on the security aspects but using SQL Server you could handle the different pieces in the following manner:

For Hashing:

You could use [HASHBYTES] and either of the SHA-2 algorithms based on your requirement. HASHBYTES('SHA2_256', @Password); Be aware that this function takes only 8000 bytes and works on varchar, nvarchar, or varbinary, which should suffice in your case but just in case.

You could also write a SQL CLR function in .NET to do the hashing if the input constraints dont work for you.

For the Salt:

Use GUIDs , using a part of the GUID might not give you the entropy required for a salt, so I recommend using the whole string.

or Use the RANDOM() function to generate a unique alphanumeric string with bit of logic.

Process:

Add the Salt to the Password before hashing (HASHBYTES('SHA2_256', @Password + Salt);and store both the Hashed output and Salt for the user during the registration process.

On a subsequent login attempt, Add the user-entered password with the salt and get Hashed output and then compare it with the store hashed value. If the value matches then the user is legitimate else not.