I'm creating an application which generates licenses key and stores this in a database (the licenses are checked online). I don't wish to store these license unhashed, in case the database is stolen.
However, once the license key is hashed (with salt), it becomes very difficult to check if a given key exists in the database, since the salt used will change with each key.
What is the best solution to be able to find and verify a hashed license key? I have considered hashing half of the license key unsalted, and using that to identify the license row before checking the full key hashed with salt. Is this too risky?
I've also considered using the last 1/4 of the key as an identifier (e.g. AAAB = 1, AAAC =2 etc), For a key length of 16, this allows 2^20 keys.
(Side note: keys are base32 encoded, and will be 16 characters long (but could be chosen longer). The application is a general one - i.e. it's not tied to any particular use-case, so there is no fixed estimate on the number of licenses required - although the key length could be increased depending on that esimate).