A Guide to Choosing Database Field Types and Lengths for Hashed Password Storage

Keywords: Password Hashing | Bcrypt | Database Design | CHAR Type | Secure Storage

Abstract: This article provides an in-depth analysis of best practices for storing hashed passwords in databases, including the selection of appropriate hashing algorithms (e.g., Bcrypt, Argon2i) and corresponding database field types and lengths. It examines the characteristics of different hashing algorithms, compares the suitability of CHAR and VARCHAR data types, and offers practical code examples and security recommendations to help developers implement secure and reliable password storage solutions.

Fundamentals of Password Hashing

Password hashing is an encryption process that converts user passwords into fixed-length strings. Unlike encryption, hashing is a one-way operation, meaning the original password cannot be retrieved from the hash value. This ensures that even if the database is compromised, attackers cannot directly obtain user passwords.

The Need for Specialized Password Hashing Algorithms

Traditional hash functions like MD5 and SHA-1, while capable of generating fixed-length hash values, are designed for fast computation and are unsuitable for password storage. Attackers can easily reverse simple passwords using rainbow tables or brute-force methods. Therefore, modern password storage recommends key-strengthening hash algorithms such as Bcrypt or Argon2i. These algorithms significantly increase cracking difficulty by incorporating salt and work factors.

Storage Solution for Bcrypt Hashes

Bcrypt is a widely recommended password hashing algorithm. In PHP, the password_hash() function can be used to generate a Bcrypt hash:

$hash = password_hash("rasmuslerdorf", PASSWORD_DEFAULT);

The resulting hash is a 60-character string, for example: $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a. Since Bcrypt hashes are always of fixed length, it is advisable to use the CHAR(60) type in MySQL for storage. This choice not only ensures data integrity but also facilitates direct viewing and verification.

Storage Requirements for Other Hashing Algorithms

Although not recommended for password storage, understanding the storage needs of other hashing algorithms remains valuable:

MD5: 128-bit hash, can use CHAR(32) or BINARY(16)
SHA-1: 160-bit hash, can use CHAR(40) or BINARY(20)
SHA-256: 256-bit hash, can use CHAR(64) or BINARY(32)
SHA-512: 512-bit hash, can use CHAR(128) or BINARY(64)

According to NIST recommendations, SHA-256 or higher versions are suitable for scenarios requiring interoperability but should not be used for password storage.

Basis for Choosing Between CHAR and VARCHAR

In database design, CHAR and VARCHAR are two common string types. CHAR is fixed-length and ideal for storing data of constant length, such as hash values; whereas VARCHAR is variable-length and better suited for text of uncertain length. Using CHAR for hash values not only improves indexing efficiency but also allows intuitive reflection of data content through field length, enhancing maintainability.

Security Practices and Conclusion

To ensure password security, always use dedicated algorithms like Bcrypt or Argon2i and avoid storing plaintext passwords in the database. Selecting CHAR(60) as the storage type for Bcrypt hashes meets data requirements and aligns with best practices. By designing the database schema appropriately and combining it with secure hashing implementations, the overall security of the system can be significantly enhanced.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.