What hashing algorithm should I use for my website?

Hi,
I am currently building my website, and I came across hashing algorithms.
I am currently using SHA-256 to store passwords in a database.
Should I switch to Argon2 or bcrypt? Or is SHA-256 good for now?

I was planning to switch to SHA-512, since it’s supposedly more secure than SHA-256, but I don’t know if it’s a good idea.

1 Like

(I believe it also includes SHA-256 in an answer)
I recommend bcrypt, but it really depends.

Bcrypt is slow but comes with custom salt and is really hard to crack. A single sha hash typically isn’t enough for production-environment application, so do it multiple times. A good rule of thumb is that it should take ~100ms for your machine to make the hash.

3 Likes

Use the PHP password_hash as it creates a salt and is 100x more secure than using the SHA family.

Its very difficult to decrypt, but a password and hash can be checked using password_verify.

5 Likes

thx. I’m going to use password_verify with Argon2 as the encryption method

3 Likes

PHP has a few internal hashing algorithms, yes.

As of PHP 5.5.0 bcrypt is used with password_hash.

Just so you know, password_hash has different algorithm options, as shown in the documentation

2 Likes

If you read further into the documentation (https://www.php.net/manual/en/function.password-hash.php), PASSWORD_ARGON2I also has a time_cost parameter for options that allows you to specify the max time it will take, as well as the max memory cost and the number of threads that will be used to compute the password.

3 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.