what is a good encoding to use for storing password hashes in DB or transferring them on a network

Question

we have a wcf authentication service and a .net c# CAB client. The service is responsible for saving and verifying user password hashes. It is also required that the hashes be stored in a readable format. Also, we will need to send hashes from the client to the service for verification. So is using a Base64 encoding for storage and transfer a good choice? what are the advantages and disadvantages of using this versus other encoding?

Answer 1

Hash the password with SHA512 along with a unique per-user salt, then either Base64 encode or hex encode (each byte of the input becomes the 2-digit hex value of that byte).

Hashes are 1-way functions. Once it's hashed, you can never get the original password back. But that's fine since you only ever store the hashed password, so in order to check if someone entered their password correctly, you re-hash and compare the hashed versions.

Answer 2

Base64 is standard and well known way to encode binary data. It is good fit for your requirments.

If you need to send this value in Urls often using modified Base64 encoding ( http://en.wikipedia.org/wiki/Base64#URL_applications) or Base32 may work better.

Answer 3

You need something that can encode arbitrary octets, not something that just encodes text (some bit patterns are invalid in UTF-16 for example).

So really two options to encode binary as text:

• Base 64
• Hex

As hex needs two text characters for each octet, while base64 needs about 1.3, the choice would be base64 unless there is some reason not to.