Using SHA256 + SHA512 hash for password?
I'm creating a method that I will use to hash password to store in a database. I would like to seek advice if my methods in hashing is sufficient or overkill for the task.
Dim result As Byte() Dim mixer As String Try Dim sha As New SHA512CryptoServiceProvider mixer = txt_salt.Text.ToUpper + txt_pass.Text.Trim result = sha.ComputeHash(System.Text.Encoding.ASCII.GetBytes(mixer)) txt_sha.Text = Convert.ToBase64String(result) Catch ex As Exception MsgBox(ex.ToString) End Try
It is insufficient.
- No salt:
- Hashes are too fast:
- No HMAC:
- does not have additional "server secret" (stored outside db!)
- solution: hmac-sha1, etc.
- Not part of a well-tested library/framework for authentication:
As far as "bits" go, SHA1 is perfectly fine with 160 (but it is not fine [by itself] for other reasons). Doing both SHA256+SH512 just complicates the matter for zero gain. (Actually, it is a very slight net loss due to the extra storage requirements.)
I suggest using an existing library/system, unless this is an academic project :)