Are there any inherited flaws in this algorithm?
It is not open to rainbow attacks (due to random salt). Sha512 is a fairly new algorithm, but currently it has no known collisions, so it is probably pretty safe. The way your passwords are stored well. The verification process is also important (limiting attack speed using bruteforce) and blocking servers from attacks from other angles that may try to access the database. If an attacker could gain access to the database, he could probably quickly extract simple passwords, but any complex password would probably be outside of a simple brute force attack (even if he had direct access to hashes).
Is it possible to save the salt in the same database and table as the salt + password hash?
You pretty much have to keep them together if you want to verify passwords (suppose you want to). The main reason for salting a password is to remove the possibility of a rainbow attack. Often this data is even stored in the same column as the hashed password, using a character to separate them.
Will having a large 128-character password cause login performance problems (for a few seconds) if I have several hundred thousand users in the table?
Check how much time (in seconds) it takes to verify the password ( hash('sha512', $salt.$password_attempt ) ). Find the inverse of this number and probably close to how many password attempts you can process per second on the processor core.
Can I change this data to create an initial password?
Yes, but it will take a lot of effort, since you use random salt, rainbow tables will no longer work, and sha512 requires enough CPU to run and has no known collisions. If the password were pretty simple, you could guess it. If you are worried about changing the hashing, a low score for password complexity might be a good idea (checking it for a dictionary, whether it contains upper / lower / digits / characters).
Kendall hopkins
source share