Is SHA256 safe for password storage? Should I use anything else?

Is SHA256 safe for password storage? Should I use anything else? - Printable Version

+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: Is SHA256 safe for password storage? Should I use anything else? (/showthread.php?tid=636364)

Is SHA256 safe for password storage? Should I use anything else? - EtayJ - 25.06.2017

Title says it all

Re: Is SHA256 safe for password storage? Should I use anything else? - HoussemGaming - 25.06.2017

Me use WP_Hash, but SHA256 is good, it guarantee you the security

Re: Is SHA256 safe for password storage? Should I use anything else? - nGen.SoNNy - 25.06.2017

Use Whirlpool!

Re: Is SHA256 safe for password storage? Should I use anything else? - Vince - 25.06.2017

It's fine. Use salts for extra security. The salt should be at least as long as the hash itself (so 256 bits, 64 characters), it should be randomly generated and it should be unique for each player. That should provide sufficient protection. Until the player uses the password 123456 ...

Edit: as for Whirlpool: this requires an extra plugin. You've got a native implementation of SHA2 at your disposal. You might as well use it. And it even comes with a built in salting algorithm.

Re: Is SHA256 safe for password storage? Should I use anything else? - sammp - 25.06.2017

Quote:

Originally Posted by Vince

It's fine. Use salts for extra security. The salt should be at least as long as the hash itself (so 256 bits, 64 characters), it should be randomly generated and it should be unique for each player. That should provide sufficient protection. Until the player uses the password 123456 ...

Edit: as for Whirlpool: this requires an extra plugin. You've got a native implementation of SHA2 at your disposal. You might as well use it. And it even comes with a built in salting algorithm.

Just to clarify, salts are only needed to randomize the hash of common phrases, thus lowering chances of your password showing up in pre-calculated tables. So, if my password was simply "password", adding a salt would make my password (this is a 8-byte salt) "password+F1F35315F955C293", or something similar.

And Vince, your salt doesn't need to be bigger than 128 bits. A 128 bit salt makes 1000 passwords per user reusing the same salt (I'm talking > 7 billion users here) negligible. All depends on the size of your community, to be fair. The OP would get away with a 32 bit salt, provided his playerbase doesn't grow above ~ 10,000 users.