Hi,
I am currently building my website, and I came across hashing algorithms.
I am currently using SHA-256 to store passwords in a database.
Should I switch to Argon2 or bcrypt? Or is SHA-256 good for now?
I was planning to switch to SHA-512, since it’s supposedly more secure than SHA-256, but I don’t know if it’s a good idea.
(I believe it also includes SHA-256 in an answer)
I recommend bcrypt, but it really depends.
Bcrypt is slow but comes with custom salt and is really hard to crack. A single sha hash typically isn’t enough for production-environment application, so do it multiple times. A good rule of thumb is that it should take ~100ms for your machine to make the hash.
If you read further into the documentation (https://www.php.net/manual/en/function.password-hash.php), PASSWORD_ARGON2I also has a time_cost parameter for options that allows you to specify the max time it will take, as well as the max memory cost and the number of threads that will be used to compute the password.