What column type length should I use for storing a Bcrypt hashed password in a Database

Question

I want to store a hashed password  using BCrypt  in a database  What would be a good type for this  and which would be the correct length  Are passwords hashed with BCrypt always of same length   EDIT  Example hash    2a 10 KssILxWNR6k62B7yiX0GAe2Q7wwHlrzhF3LqtVvpyvHZf0MwvNfVu  After hashing some passwords  it seems that BCrypt always generates 60 character hashes   EDIT 2  Sorry for not mentioning the implementation  I am using jBCrypt

User · Accepted Answer

The modular crypt format for bcrypt consists of

$2$ , $2a$ or $2y$ identifying the hashing algorithm and format
a two digit value denoting the cost parameter, followed by $
a 53 characters long base-64-encoded value (they use the alphabet ., /, 0–9, A–Z, a–z that is different to the standard Base 64 Encoding alphabet) consisting of:
- 22 characters of salt (effectively only 128 bits of the 132 decoded bits)
- 31 characters of encrypted output (effectively only 184 bits of the 186 decoded bits)

Thus the total length is 59 or 60 bytes respectively.

As you use the 2a format, you’ll need 60 bytes. And thus for MySQL I’ll recommend to use the CHAR(60) BINARYor BINARY(60) (see The _bin and binary Collations for information about the difference).

CHAR is not binary safe and equality does not depend solely on the byte value but on the actual collation; in the worst case A is treated as equal to a. See The _bin and binary Collations for more information.

User · Answer

A Bcrypt hash can be stored in a BINARY 40  column   BINARY 60   as the other answers suggest  is the easiest and most natural choice  but if you want to maximize storage efficiency  you can save 20 bytes by losslessly deconstructing the hash  I ve documented this more thoroughly on GitHub  https   github com ademarre binary-mcf  Bcrypt hashes follow a structure referred to as modular crypt format  MCF   Binary MCF  BMCF  decodes these textual hash representations to a more compact binary structure  In the case of Bcrypt  the resulting binary hash is 40 bytes   Gumbo did a nice job of explaining the four components of a Bcrypt MCF hash     lt id gt   lt cost gt   lt salt gt  lt digest gt    Decoding to BMCF goes like this      lt id gt   can be represented in 3 bits   lt cost gt    04-31  can be represented in 5 bits  Put these together for 1 byte  The 22-character salt is a  non-standard  base-64 representation of 128 bits  Base-64 decoding yields 16 bytes  The 31-character hash digest can be base-64 decoded to 23 bytes  Put it all together for 40 bytes  1   16   23   You can read more at the link above  or examine my PHP implementation  also on GitHub

User · Answer

If you are using PHP s password hash   with the PASSWORD DEFAULT algorithm to generate the bcrypt hash  which I would assume is a large percentage of people reading this question  be sure to keep in mind that in the future password hash   might use a different algorithm as the default and this could therefore affect the length of the hash  but it may not necessarily be longer    From the manual page      Note that this constant is designed to change over time as new and   stronger algorithms are added to PHP  For that reason  the length of   the result from using this identifier can change over time  Therefore    it is recommended to store the result in a database column that can   expand beyond 60 characters  255 characters would be a good choice     Using bcrypt  even if you have 1 billion users  i e  you re currently competing with facebook  to store 255 byte password hashes it would only  255 GB of data - about the size of a smallish SSD hard drive  It is extremely unlikely that storing the password hash is going to be the bottleneck in your application  However in the off chance that storage space really is an issue for some reason  you can use PASSWORD BCRYPT to force password hash   to use bcrypt  even if that s not the default  Just be sure to stay informed about any vulnerabilities found in bcrypt and review the release notes every time a new PHP version is released  If the default algorithm is ever changed it would be good to review why and make an informed decision whether to use the new algorithm or not

User · Answer

I don t think that there are any neat tricks you can do storing this as you can do for example with an MD5 hash   I think your best bet is to store it as a CHAR 60  as it is always 60 chars long

[mysql] What column type/length should I use for storing a Bcrypt hashed password in a Database?

Examples related to mysql

Examples related to hash

Examples related to types

Examples related to storage

Examples related to bcrypt