Reputation: 9222
SHA vs MD5 or other? What is least overhead implementation in MVC3?
Of the two hashing algorithms, SHA and MD5, which one would be the easiest to implement in .NET MVC 3. By easy, I mean the least amount of overhead and time to implement.
I know the argument will be that with security it shouldn't matter, but I am still interested in which one it would be. And if there is another highly used one that is easier, which is it?
I am new to working with hashing algorithms for site authentication, so I want to make sure I do my research before I go at it.
Also, if .NET or MVC has built in support for anything, what would it be?
Thank you.
Upvotes: 1
Views: 1299
Answers (3)
Reputation: 1496
I prefer not to store passwords on my sites at all - either with hashes and salts or otherwise. If you use an OpenID provider or a variant such as the new BrowserID from Mozilla Labs, I believe you may even be better off.
Upvotes: 1
Reputation: 164291
As stated in the comments, SHA and MD5 is not encryption. If you need one-way hashes, though, one of the SHA variants is the safest.
If you by "Least overhead" mean which one is easiest to implement in code, they are the same. In .NET SHA and MD5 share the same base class HashAlgorithm, which you can program against.
If you by "Least overhead" mean computing time or space consumption, MD5 is the winner. But bear in mind that MD5 is a lot weaker than any of the SHA variants, and for any practical applications today, neither time nor space is likely to matter.
Upvotes: 1
Reputation: 818
See System.Security.Cryptography.MD5, and System.Security.Cryptography.SHA256.
A list of implemented hashing algorithms in the .NET framework can be found here.
You should also check out this blog post for a few tips about rolling your own authentication scheme.
Bcrypt is often a good choice for hashing passwords, and there's a .NET port of it here. However, I'm not sure if there has been any outside code review on this project, so it may be worth asking around.
Excellent posting about why bcrypt is the preferred method for storing passwords: http://codahale.com/how-to-safely-store-a-password/.
In regards to least overhead, that should really never be a concern. I would never want my passwords stored using the weakest hashing algorithm because a website or service needed "less overhead".
Upvotes: 3
Related Questions
- MVC - How to hash and salt
- advantage of md5+salt in asp.net application
- Looking for a C# hash faster then MD5 or SHA256
- ASP.NET MVC 4 Hash algorithm
- Does ASP.NET use SHA256 or SHA1?
- How to Use SHA1 or MD5 in C#?(Which One is Better in Performance and Security for Authentication)
- Hashing Passwords With ASP.NET MVC 3
- Which is the best hashing algorithm in ASP.NET that can be used to store password in database?
- Faster MD5 alternative?
- How to calculate hashbyte SHA1 using C#?