9

I'm trying to make a website with a log on / log off feature and I plan on properly hashing and salting the password. The problem I'm facing, however, is how I'd go about storing the password in the database. I know that I need to store the hashed + salted password in the database (not in plain text or plain encrypted), but I don't know how to technically get around inserting the binary data into the database.

In my early attempts, the only way I could get the data in the database would be to have the binary data converted to a base64 string and inserted into the varchar password field, but something is telling me that's not the correct way to do it.

The password field in the database is currently a varchar but as I understand it, a hashed password is binary. So even if I changed the password field to a binary object, I still don't know how to actually insert it!

If I'm not making any sense please ask for clarification and I'll get back to you.

Improve this question
5
  • 1
    The hash can be a varchar... it doesn't have to be binary at all but out of curiosity what is the has function you are using? Commented Feb 12, 2012 at 21:25
  • 1
    Why don't you want to use base64? It's simple and the data is small enough not to be worried about size. Commented Feb 12, 2012 at 21:31
  • Base64 is the safest way that leaves the hash in human-readable form. There is nothing wrong with storing a salted hash as plain-text; that’s the whole purpose behind storing a hash, not a password. Commented Feb 12, 2012 at 21:34
  • Well, I'm using SHA-512 to hash the password like so: byte[] pwdEntered = pw512.ComputeHash(System.Text.Encoding.Unicode.GetBytes(pwBox.Text)); and the value that I'm putting in the database is the result of this: Convert.ToBase64String(pwdEntered). @Chris - it's not that I don't want to use base64, it's just this is the first time I've done this so I wasn't sure if that was an acceptable way to do it or if there was some other fancy way of doing it. Commented Feb 12, 2012 at 21:40
  • This question has nothing to do with authentication. It should be "How do I insert binary data into a table". Commented Feb 12, 2012 at 22:30

2 Answers 2

Reset to default
10

In Microsoft SQL Server you can store binary data in columns having a binary data type (or varbinary if you need variable length data). You can use that for you hashed and salted passwords. If you use a 512 bit hash function and also want to use a 512 bit salt you need 2*512/8 = 128 bytes (e.g. binary(128) to store salt and hash.

Normally whatever API you use to read and write the database should assist you in reading and writing binary data. However, perhaps you want to use some SQL to directly insert a binary value into a table. You can use syntax like this:

insert into MyTable values (0x123456789ABCDEF)

Not really an answer to your question, but if you struggle with implementing you own password feature you could consider using a prebuilt industrial strength component to avoid embarrasing errors in the future. ASP.NET has a membership provider for instance.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

7

No, a hashed password doesnt have to be stored in a varbinary field, you can encode it and store it in a varchar field. Base64 is a good alternative for encoding any kind of characters.

Improve this answer

5 Comments

What kind of hash do you use that generates strings and not sequence of bites? All cryptographic has functions I know of will generate a set number of bits like 128, 160, 256 or 512 bits and that is not a string (strings are stored using an encoding).
@MartinLiversage I've used MD5 hashes to store passwords in varchar fields w/o problems. Linux used MD5 hashes in /etc/passwords for looooong time. The point is that you DON'T HAVE to store them in a varbinary field.
Of course you can store hashes in varchar columns but then you need to encode them using something like base64 encoding. Your answer seems to indicate that the hash can be stored directly without taking into account random binary sequences that doesn't make sense in a string.
Sorry to keep nitpicking but you can't use UTF-8 encoding to convert any sequence of bytes to a string. Try to convert the bytes 0xC5 0x01 to a string and then back to bytes using UTF-8. Because the bytes are invalid UTF-8 you don't get the original bytes back. Base64 is fine though.
@martinLiversage au contraire, thanks for the info. I didn't know that. Removed UTF-8 from the answer.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.