This question already has answers here:
Closed 7 years ago.
Possible Duplicate:
What algorithm should I use to hash passwords into my database?
I am new to this hashing on password. I read the hashing + salt make passwords really safe. But still confused which hashing algorithm should I use as there are many like.
MD5CryptoServiceProvider
SHA1Managed
SHA256Managedetc.
How can I decide which one is good for me or all are equal. Can I pick up anyone blindly?
MD5:
In 1996, a flaw was found with the design of MD5, and while it was
not a clearly fatal weakness, cryptographers began recommending the
use of other algorithms, such as SHA-1—which has since been found to
be vulnerable as well.
SHA1:
In 2005, cryptanalysts found attacks on SHA-1 suggesting that the
algorithm might not be secure enough for ongoing use
SHA2 which SHA256 is a type of does not have a known vulnerability as of the moment of writing.
Fast hash algorithms like MD5, SHA-1 or even SHA-256 are not good choices to hash passwords, because they are much too fast and can be brute-forced too easily. One can calculate about 3 Giga SHA-1 values per second with common hardware in 2013.
Instead you can use a slow key-derivation function like BCrypt or PBKDF2. CSharp has native support for PBKDF2, it can be implemented with the Rfc2898DeriveBytes class, an example you can find here.
Also easy to use is this BCrypt library. Often people are not sure if it is safe to use such libraries, but i don't think there are arguments against using it. As long as the library returns the correct value and generates the salt correctly, it should be fine, because the security comes from the algorithm and not from the implementation.
MD5 is considered crackable. SHA1 is good but maybe crackable. SHA256 is good.
https://security.stackexchange.com/questions/5586/why-do-people-think-that-this-is-bad-way-to-hash-passwords
SHA1 vs md5 vs SHA256: which to use for a PHP login?
Is SHA-1 secure for password storage?
