Hi
I'm creating hashed passwords using salted sha1 in PHP.
My question is: In MySQL what is the proper character encoding, field type & length to store the result?
Is there anything else in MySQL to consider for password security? Finally are SHA256 or SHA512 practical hashing choices?
For a SHA1 hash, CHAR(40) would be the optimal field type and length. Character encoding shouldn't matter much, all the characters are within the ASCII range. I'd go with the same character set as the rest of your database for consistency.
The SHA-2 algorithms (SHA-256, SHA-512) are valid choices; however they require more storage. To store the hex digits for SHA-256, for example, you need a CHAR(64) field. There have been some questions about whether SHA-1 is "broken" Schneier discussed it and NIST commented. If those concern you, then it might be better to use one of the SHA-2 functions.
And if you want to increase the cost of a brute force attack, you might also consider adding some iterations using an algorithm such as PBKDF2. Someone posted an example here in the comments.
Anyone got any arguments against using md5 and storing them as char(32)?