9

In my ASP.NET web app I'm hashing my user passwords with SHA512.

Despite much SO'ing and Googling I'm unclear how I should be storing them in the database (SQL2005) - the code below shows the basics of how I'm creating the hash as a string and I'm currently inserting it into the database into a Char(88) column as that seems to be the length created consistently

Is holding it as a String the best way to do it, if so will it always be 88 chars on a SHA512 (as I have seen some bizarre stuff on Google)? 

 Dim byteInput As Byte() = Encoding.UTF8.GetBytes(sSalt & sInput)
 Dim hash As HashAlgorithm = New SHA512Managed()
 Dim sInsertToDatabase As String =  Convert.ToBase64String(hash.ComputeHash(byteInput))
Chris
  • 1,324
  • 5
  • 18
  • 29
  • Have a look at [link text](http://altairiswebsecurity.codeplex.com)/ if you want to use asp.net membership. It has very open table structure, so it might be easier to integrate with your current database. – jhexp Apr 14 '10 at 13:20

1 Answers1

14

SHA512 outputs 512 bits, or 64 bytes. You can store those 64 bytes in a binary column, if you so wished.

If you want to handle the hash outside your application is more comfortable to store a Base64 string, as you are doing now. Base64 adds roughly a 33% of constant overhead, so you can expect the string to be always 88 chars.

That said, ASP.NET has a fairly comprehensive authentication system builtin, which you should use.

Vinko Vrsalovic
  • 330,807
  • 53
  • 334
  • 373
  • A byte array in .NET maps directly to BINARY (or VARBINARY) in T-SQL – RickNZ Dec 01 '09 at 23:27
  • 2
    Thanks @Vinko for all of the clarification - I like to own the security model and understand exactly what is going where and know that I can port the usability of the passwords away from ASP.NET at any time - I've been bitten there before. Maybe misguided, certainly not that I'm a control freak or anything ;) – Chris Dec 02 '09 at 06:44