I have a procedure used to authenticate users in my db and it never crossed my mind to determine how long of an password a user could have in the db. I'm at the point where if someone wants to have a 100 char password, so be it, but I'm thinking I want to use this to account recovery questions as well.
Here is my procedure:
declare @PasswordHash nvarchar(100)
= 'ThisIs101|ThisIs101|ThisIs101|ThisIs101|ThisIs101|ThisIs101|ThisIs101|ThisIs101|ThisIs101|ThisIs101|ThisIs101|ThisIs101|ThisIs101|ThisIs101|ThisIs101|'
DECLARE @salt UNIQUEIDENTIFIER = Newid();
declare @passwordHast binary(64) = (
select Hashbytes('SHA2_512', @PasswordHash + Cast(@salt AS NVARCHAR(36)))
);
if (@passwordHast = Hashbytes('SHA2_512', @PasswordHash + Cast(@salt AS NVARCHAR(36))))
begin
select 1
end
else
begin
select 0
end
Just to put it out there, in the use case for recovery passwords, there will be a system password not kept in the DB, however if there is a better way, i'm all ears.