How long should my password salt be, and is SHA-256 good enough?

Your suggestion of 12 bytes should be an adequate length for a salt. That would require a dictionary attack to prepare 2⁹⁶ databases of hashed passwords. Someday this might be a trivial operation for a cracker, but we're still a ways off from that.

SHA256 is recommended by NIST as having adequate hashing strength for passwords, at least for now.

If you want to explore even stronger methods of password security, look into key-strengthening techniques like PBKDF2, or adaptive hashing with Bcrypt. But these have no direct support in SQL. You'd have to do the hashing in application code and then post the hash digest to your database.

It may seem like security overkill for a gaming site, but it's a good practice to do it. Because many users (inadvisably) use the same password for their gaming login as they do for their banking login! You don't want to be responsible for an authentication breach that leads indirectly to major losses.

Update:

Don't use hashing or HMAC. Use bcrypt or scrypt. See http://codahale.com/how-to-safely-store-a-password/

Original:

Don't simply hash. Use HMAC. (And avoid doing your own hashing or crypto if there is a library available, since libraries benefit from expert input.)

References:

1. http://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/
2. http://us2.php.net/manual/en/function.hash-hmac.php

It's probably sufficient for your use case.

However, it could be improved by:

1. Increase the size of the salt

2. The salt should be not be limited to a small subset of characters

3. Iterate the hashing, say 1000 times (key strengthening)

Have a look at phpass.