I need some help understanding how to hash and salt passwords for users in SQL using SHA256 or SHA512. I think for each user I have to generate a different salt? How do I check the password at login and update and existing password in MySQL?
I used this resource to do some research on implementation but it only shows Java code, how do I do this in MySQL? Would this be done in a stored procedure?
Thanks
I am no authority on the security aspects but using SQL Server you could handle the different pieces in the following manner:
For Hashing:
You could use [HASHBYTES] and either of the SHA-2 algorithms based on your requirement. HASHBYTES('SHA2_256', @Password);
Be aware that this function takes only 8000 bytes and works on varchar, nvarchar, or varbinary, which should suffice in your case but just in case.
You could also write a SQL CLR function in .NET to do the hashing if the input constraints dont work for you.
For the Salt:
Use GUIDs , using a part of the GUID might not give you the entropy required for a salt, so I recommend using the whole string.
or Use the RANDOM() function to generate a unique alphanumeric string with bit of logic.
Process:
Add the Salt to the Password before hashing (HASHBYTES('SHA2_256', @Password + Salt);and store both the Hashed output and Salt for the user during the registration process.
On a subsequent login attempt, Add the user-entered password with the salt and get Hashed output and then compare it with the store hashed value. If the value matches then the user is legitimate else not.
