Toto Toto - 10 months ago 32
SQL Question

Why should a bcrypt() hash be stored in (var)binary?

In our php application, we generate password hashes with

(using bcrypt).

bcrypt hashes should be stored in

I totally understand this requirement if the comparison and/or search is done inside the database. (collation, case sensitive vs case insensitive).

If the database is only used as storage, and the comparision is done on the php application with
, can we stay with

IF not, why?


You can store the result of password_hash() is something you can save in a normal VARCHAR(255) column, it's not binary data, just a string that looks like:


These are, of course, case sensitive but they'll never use anything but regular letters, numbers, and a select few bits of syntax.

This column does not need to be indexed, in fact that would make almost no sense. The password_verify() function works against a specific password and is deliberately slow, testing versus every user in the system would take a long time. This is to make it harder for people to brute-force guess passwords.