Reputation:
hash() function in mysql version 8.0
I am trying to store passwords in my user table. Of course I want to salt and hash them before.
But there's no hash() method in mysql anymore. How can I do it in version 8.0? Are there alternatives?
Thanks in advance for your help.
Upvotes: 1
Views: 11315
Answers (1)
Reputation: 562230
You should hash passwords in your app, before sending them to SQL.
Why do I say this? After all you could do this:
INSERT INTO Accounts (user, salt, password)
VALUES ('myuser', '1234', SHA2(CONCAT('xyzzy', '1234'), 256))
But now you the password 'xyzzy' appears in plain-text in your query logs and binary logs, even if it is stored in hashed form in the table itself. If you don't secure your logs adequately, a hacker could get a hold of them and find everyone's password.
Instead, perform the hash operation in your application code. Get the result of that, and save the hash string verbatim in the database.
INSERT INTO Accounts (user, salt, password)
VALUES ('myuser', '1234', 'd3822b5f03ad0c1a363d874238f6b48fd68a131cc35d5e55c77a81db1d266b84')
That way the plain-text password does not get logged.
Likewise, when you do password checks for users as they log in, read the salt, then use it to hash the password they input, then compare that to the hash string stored in the database.
SELECT salt FROM Accounts WHERE user = ?
...calculate hash string using user input + salt...
SELECT password = ? AS password_matches FROM Accounts WHERE user = ?
Upvotes: 2
Related Questions
- How to set hashed password for MySQL database user
- Recover the passwords created using PASSWORD() in mysql 8
- MySQL Hashing Function Implementation
- Is the MySQL password function vulnerable to this?
- What kind of hash does mysql use?
- What function to use to hash passwords in MySQL?
- How to hash passwords in MySQL?
- MySQL plain-text to hash passwords
- Hash Passwords php
- Storing hashed passwords in MySQL