0

My recent developments led me into the world of password storage security, hashing functions, ...

I've decided to store on the database the resulting byte array of my hashing function (in a BINARY type column), as well for the salt, since storing a hex string would take more space, I guess.

Are there any downsides to this practice? Especially on the security viewpoint.

+----+---------+--------------+--------------+---------------+------------+
| id | login   | password     | salt         | name          | lname      |
+----+---------+--------------+--------------+---------------+------------+
|  1 | myadmin | 0x8B624d85B1 | 0x248f1706f0 | Administrador | do Sistema |
+----+---------+--------------+--------------+---------------+------------+
Improve this question

1 Answer 1

Reset to default
3

I can't see any downside from a security perspective of storing the hash and salt as binary rather than strings. Ultimately all data is binary anyways.

I'd be more concerned about what hashing algorithm you are using. I don't see anywhere you are storing a difficulty factor, so I assume you aren't using BCrypt? If not, you might want to consider using that as it seems to be the gold standard at the moment for password hashing.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Argon2, that table is just illustrative. I've read that Argon2 is too recent and therefore not so secure but I'm giving the try.
+1 for using Argon2 (which variant? 2d? 2id?. It's recent, but it's also been pretty heavily reviewed as part of the Password Hashing Competition.
2d, I run a whole bunch of apps in one server, so "should" be nearly impossible to side attack my server
@LucasNoetzold - It may become more difficult to upgrade to a new algorithm in future. The string format usually includes all necessary information like the salt, the cost factor and the algorithm signature, you will have to store this information as well. The built in functions are mostly backwards compatible, what means that they can verify a password even if they where calculated with an older algorithm.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.