Should the username be hashed when storing passwords and information in a database?

Just wonde开发者_JAVA技巧ring if it would be a good practice to store the username hashed in a database when storing users information such as passwords and what not.

It is an overkill to encrypt/hash user-name. If you are worried about security just Hash using SHA256 with random salt.

Encrypting username does not make sense because you are likely to search based on userName, partial userName. Encrypting will just make it hard to search.

Alright, for my whole life I have been using SHA256 with salt thinking it's the strogest. The good comment by Rein Henrichs on this post reveals that SHA256 may not be the safest. You may want to use bcrypt, but I guess it's very slow. I will do some proof of concepts, if it's very slow then I will stay with SAH256+hash.

Thanks for the link.

No, you should not.

Otherwise, you could not show a list of registered users, or anything of that type. It would also make a lot of other functions unnecessarily clunky.

Just use a one way digest method (such as bcrypt) on the user's password with a suitably high work factor.

Not necessary. Just use a hashing function designed to make brute force attacks unperformant, like bcrypt. SHA is insufficient.

Do not ever store the password in cleartext. But you dont need to hash the username.

But I assume you will use this user information for some server to allow the clients to login. Its safe if the password is not transfered on the wire from client to server. In that case, you can use some one way hash for your password. If your client and server both aware of the hash function your password never need to go over wire. But the problem arises if you want to change the hash mechanism. Your both client and server need to updated. In that case client has to negotiate what mechanism server used. You will endup doing kind of a spnego mechanism ;)