0

I need to query a serial number on a MySQL database, because of the sensitivity of this serial number it's stored as a bcrypt hash in the database. The hash is generated with a random salt which is default behavior from the password_hash() function.

The problem I'm encountering is that I need to query the database on this hash, there is no other required identifier. I can use a fixed salt but this is deprecated since PHP 7.0. I already know that the table will grow very big overtime, and that retrieving all results and then checking all the hashes would be quite troublesome. To future proof the hashing it has been determent that I need to use the password_hash() function.

Is there any way to query the database without sacrificing security, performance or using deprecated functionality?

As a sidenote, PDO is used to retrieve the results.

Edelweiss
  • 80
  • 9
  • 1
    Hashes with a random salt are, as a rule of thumb, not indexable/queryable. That's basically what they've been designed *not* to be. They're the wrong tool for the job. You're basically asking the impossible. – deceze Dec 04 '20 at 10:32
  • @deceze Thats a shame. I hoped there would be a solution because password_verify() can be used to validate a string on a hash and that there would be an overlooked optimized method to use this in a query. – Edelweiss Dec 04 '20 at 10:42
  • If you want to store a hash in the database instead of the real value, then you need an unsalted hash like the SHA family. But then it becomes a question of what you're trying to hide and from whom, since this kind of hash can be brute forced in the worst case. – deceze Dec 04 '20 at 10:45
  • @deceze The hash has monetary value. In case of a database breach an easily bruteforcable hash would be devastating to the customer. I will consider a SHA hash though because in any case it's better than storing it as a raw value. Thanks! – Edelweiss Dec 04 '20 at 10:58

0 Answers0