Hashed string lengths

[eluser]Unknown[/eluser]
Just a quick question to do with storing hashed passwords.

I'm using the php SHA1 hash function for encrypting my passwords (with salt etc) to store in a database. Do the strings the hash returns always have the same length? If thats so, then can I set the database field to be something like CHAR(40)?

Whats your current password practices?

[eluser]Derek Allard[/eluser]
http://ca3.php.net/sha1
According to PHP.net, its 20 if raw, and 40 if not raw.

[eluser]Jim OHalloran[/eluser]
[quote author="eddiegroves" date="1192782877"]Do the strings the hash returns always have the same length?[/quote] Yup, you can take whatever length of input you like (e.g. a single byte or a multi-gigabyte file) and the hash will always be the same length. This leads to one potential problem of hashing, there's a lot more possible inputs to a hash than there are possible results. However in general terms a "collision" (two different inputs with the same hash) is unlikely with most well designed hash algorithms (MD5 has at least one known collision), and in general terms the longer the hash, the less likely a collision. [quote author="eddiegroves" date="1192782877"]If thats so, then can I set the database field to be something like CHAR(40)?[/quote]Yes![quote author="eddiegroves" date="1192782877"]Whats your current password practices?[/quote] SHA hash with a randomly derived salt (e.g. the output of the uniqid function. If the salt is derived randomly it needs to be stored in the database along with the salted and hashed password.

Jim.