Click here to Skip to main content
15,663,639 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
Please help me; I can't describe which algorithm is better?

What I have tried:

i have read this article:

Salted Password Hashing - Doing it Right[^]

and i understand that the best hash algorithm for webforms is PBKDF2-HMAC-SHA512
and then get this implementation:

GitHub - defuse/password-hashing: Password hashing code.[^]

this implementation is based on PBKDF2-HMAC-SHA1

i googled to find something that help me to make a hash based on PBKDF2-HMAC-SHA512

and i've found this library on github:

GitHub - therealmagicmike/PBKDF2.NET: Provides adaptive password-based key derivation (PBKDF2) functionality for the .NET Framework allowing the use of any System.Security.Cryptography.HMAC-based hashing implementation, whether it's a built-in type, or an implementation of your own.[^]
in this library i can define my hash algorithm as <b>HMACSHA1</b>, <b>HMACSHA256</b>, <b>HMACSHA384</b> or <b>HMACSHA512</b>

and as you know HMACSHA1 is faster than HMACSHA512. and it's not good in security reasons.

But i've found something that i don't know it's true or not! i've implemented both algorithms in same page and understand that adriancs's algorithm takes longer time than the mike's. and it's not logical as for adriancs's article.

So, i want to know which algorithm is slowest and also wich is better?

any help will be appreciated.
Thank you, Masoud.
Updated 18-Nov-16 9:32am
[no name] 18-Nov-16 9:57am    
"algorithm is better", would be the one that does what you want it do. That is for YOU to decide not asking random strangers on the internet that have no idea what you are doing.
Masoud__Sh 18-Nov-16 12:07pm    
thank you so much. i'm sorry for bad questioning. yes you're right. i'm sure about using PBKDF2-HMAC-SHA512. but something that i don't know is, why Mike's solution when i'm using SHA1 is faster than adriancs's solution in same algorithm, salt size, and iteration count? adriancs's algorithm takes something about 40 milliseconds but Mike's algorithm takes 3 milliseconds. and it's not logical for same values.
Thank you, Masoud

1 solution

Pretty much, SHA is the "Best" algorithm for hashing passwords, mostly because MD5 is officially "broken" and is not recommended for new applications. That doesn't mean MD5 is actually bad, just that there are circumstances where you can "reverse" the hash to produce an "enterable" password that will produce the same MD5 hash value as the original. The "new" password will probably not be recognisable as the "original" however.
SHA-1 is currently "broken" but not cracked, and SHA256 is "partly broken" but still considered secure for the moment. SHA512 is solid at present, so I'd use that for new projects.
SHA-3 is the "next generation" hash, but at present there is no verified implementation for .NET that I'm aware of.
Share this answer
Masoud__Sh 18-Nov-16 12:00pm    
thank you so much for your answer. and i'm so sorry for bad questioning. i edited my question. i'm not sure about using one library between two libraries linked above in my question.
Thank you and sorry for taking your time.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900