Password Hashing - Server Side Code vs Database

Do you prefer to hash your passwords using server side code like php/asp or use the built in function of the DB like sql server HASHBYTES?
LVL 55
Scott Fell,  EE MVEDeveloper & EE ModeratorAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Dave BaldwinConnect With a Mentor Fixer of ProblemsCommented:
I have always used the PHP methods.  Don't even know about the SQL methods.
N-WConnect With a Mentor Commented:
Always using server side code.

Using server side code, your security isn't dependent on the database software you are running. The hashing utilities built in to database systems is generally fairly poor in comparison to what can be written in your code.

Separating it from the database software also allows you to use your code with different database software if needed later on.
David ToddConnect With a Mentor Senior DBACommented:

Okay for transportability, then do it in the application.

OTOH, you could use SQL and pwdcompare and pwdencrypt, which would allow you to store the hashed passwords in the database quite easily,

BTW this is the same functions etc that the SQL authenticated logins use, so I'm pretty sure that for 90% of the time it is strong enough on a recent version of SQL.

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Slick812Connect With a Mentor Commented:
I also use server side and not SQL to do password for DB storage, there are now so many hash look-up tables for MD5 and SHA that these are considered to be no obstacle to flip back in a look-up. There are many security sites that suggest the current minimum hash standard is SHA256 with a true "seed" offset, in php I use at least -
$jumbled = hash_hmac('sha256', $Password, $longSeed, true);
and store in a VARBINARY table column.
I use sha384,  sha512 or whirlpool , if available, better safe than sorry.
the hash_hmac() does a true seed distortion, so the normal look-up tables for a hash algorithm will not work.
Ray PaseurConnect With a Mentor Commented:
I use md5().  Despite what lots of people write about it, it's good enough if the passwords are salted correctly (and if your clients are not idiots who choose a password like "password" thereby destroying any chance they have of account security).

Please go to this article and read the part about An Afterword: About Storing Passwords for some of my thoughts and observations.
Scott Fell, EE MVEDeveloper & EE ModeratorAuthor Commented:
Thanks Ray, I have already read your article probably more than a couple of times as well as   I saw in a few threads you mentioned the same thing about md5 and I agree.     The real issue is as you suggest bad passwords.  When I try and set up some parameters to ensure at least 8 characters, use upper and lower case and a special character,  I will get a complaint from client that the password becomes to hard to remember and they just want to enter in their kids name.  I send them a few links about the dangers of easy passwords (no including the@N, @JP saga's

I have always just set the hash using serverside code and was wondering if there is any advantage to doing this on the DB.   I think it may be best to keep using serverside code for this.   If I wanted to reuse code from one project to the next, I think I could be more consistent and not worry about how sql server vs mysql works.
Ray PaseurCommented:
Agree about code reuse vs different SQL engines.  One of the ideas that seems to be getting some traction lately is the idea of a pass-phrase instead of a password.  This may be easier for clients who agonize over the one upper, one lower, one special, one number, etc... rules.  But still, the effect is the same as the hashing effect - adding more characters should make the cracking process take a little longer.  It will do nothing to prevent it forever.
Scott Fell, EE MVEDeveloper & EE ModeratorAuthor Commented:
I have not re read this one in a while I seem to recall they talked about pass phrases are a good option.

I think I am going to stick with hashing serverside.
Ray PaseurCommented:
In any security setup it is better to go with the "more" rather than the "least", using md5 when you can just as easily use sha256, defies any thinking that I can do,. Any one who has had md5 passwords rolled through and exacted , would likely never say what Ray says about using md5 anyway.
A Quote from the "minced-meat" article that Ray Paseur gave -
"the website's unfortunate and irresponsible use of MD5"
Scott Fell, EE MVEDeveloper & EE ModeratorAuthor Commented:
I didn't meant for this to be a debate on which algo to use. I am using sha256 any of them are just as easy to use as the next.     In the end, if somebody did break in, they would probably be smart enough to find the code that ultimately has the password.  Plus would be able to see  a bunch of names, addresses, event activity
Dave BaldwinFixer of ProblemsCommented:
That's a puzzle to me.  If someone has gotten access to the point where they can even see the MD5 version of the password, your site has already been thoroughly compromised.
Scott Fell, EE MVEDeveloper & EE ModeratorAuthor Commented:
Sticking with server side code.  Thanks!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.