tags:

views:

551

answers:

4
+2  Q: 

Storing a SHA512 Password Hash in Database

In my ASP.NET web app I'm hashing my user passwords with SHA512.

Despite much SO'ing and Googling I'm unclear how I should be storing them in the database (SQL2005) - the code below shows the basics of how I'm creating the hash as a string and I'm currently inserting it into the database into a Char(88) column as that seems to be the length created consistently

Is holding it as a String the best way to do it, if so will it always be 88 chars on a SHA512 (as I have seen some bizarre stuff on Google)? 

 Dim byteInput As Byte() = Encoding.UTF8.GetBytes(sSalt & sInput)
 Dim hash As HashAlgorithm = New SHA512Managed()
 Dim sInsertToDatabase As String =  Convert.ToBase64String(hash.ComputeHash(byteInput))
A: 

You should not be coding that stuff yourself. Have a look at http://msdn.microsoft.com/en-us/library/ms998317.aspx or google sql membership provider.

klausbyskov  2009-12-01 21:14:55
Isn't formsAuthentication limited to MD5/SHA1?
Chris  2009-12-01 21:19:50
+4  A: 

SHA512 outputs 512 bits, or 64 bytes. You can store those 64 bytes in a binary column, if you so wished.

If you want to handle the hash outside your application is more comfortable to store a Base64 string, as you are doing now. Base64 adds roughly a 33% of constant overhead, so you can expect the string to be always 88 chars.

That said, ASP.NET has a fairly comprehensive authentication system builtin, which you should use.

Vinko Vrsalovic  2009-12-01 21:15:38
A byte array in .NET maps directly to BINARY (or VARBINARY) in T-SQL
RickNZ  2009-12-01 23:27:51
Thanks @RickNZ - much appreciated.
Chris  2009-12-02 06:40:10
Thanks @Vinko for all of the clarification - I like to own the security model and understand exactly what is going where and know that I can port the usability of the passwords away from ASP.NET at any time - I've been bitten there before. Maybe misguided, certainly not that I'm a control freak or anything ;)
Chris  2009-12-02 06:44:20
+1  A: 

I personally have always stored them as a string. This makes comparing them to the user input very easy.

According to msdn on system.security.cryptography.sha512 The hash size for the SHA512 algorithm is 512 bits.

corymathews  2009-12-01 21:16:43
A: 

Have a look at link text/ if you want to use asp.net membership. It has very open table structure, so it might be easier to integrate with your current database.

jhexp  2010-04-14 13:20:41

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?