My next task will be to encrypt passwords. I am working at the database access layer and my co-worker has made this comment, implement SHA512 hash, on an empty method which I will implement. Any recommendation about this?
C# example from that page:
byte[] data = new byte[DATA_SIZE];
byte[] result;
SHA512 shaM = new SHA512Managed();
result = shaM.ComputeHash(data);
You should use bcrypt, which is more secure for passwords than SHA512.
If you really need to use SHA512, you should use the SHA512Managed
class, as other answers have mentioned.
Make sure to salt your hash.
Quite a simple process really:
byte[] data = Encoding.UTF8.GetBytes(stringPasswordForExample);
SHA512 sha512 = new SHA512Managed();
byte[] hash = sha512.ComputeHash(data);
hash
now contains a non-reversable hash of the initial data that you wanted hashed. Also, check out MSDN. A few notes:
how to hash a password?
With a salt. Really.
Never, ever do this:
byte[] data = Encoding.UTF8.GetBytes(stringPasswordForExample);
But this:
byte[] data = Encoding.UTF8.GetBytes(stringPasswordForExample + salt);
This is one the most misunderstood "trick of the trade". Most people don't know what a "salt" is and when you explain it to them, they think it's pointless.
Truth is: SHA-512 or MD5 or some very weak hash, once rainbow tables are precomputed, doesn't make any difference. SHA-65536, should it exist (I'm being facetious here), would be no better than any other hashing algorithm once rainbow tables are precomputed.
A big enough "salt" makes rainbow tables impossible:
http://en.wikipedia.org/wiki/Rainbow_table
Note that even if you understand fully how hashes, salt and rainbow tables relate (and hence understand why the Wikipedia article states: "A salt is often employed with hashed passwords to make this attack more difficult, often infeasible.") there's a very high probability that your co-workers don't. Just as it is very likely that most people up and downvoting in this thread don't understand this topic.
I've seen answers here on SO with 30 upvotes where someone who couldn't understand what a salt was kept up coming with techno-buzzwords to defend his position... And yet he had all these upvotes (too lazy to find the question but it was epic).