Which algorithm is slowest?

Question

1.00/5 (1 vote)

See more:

Please help me; I can't describe which algorithm is better?

What I have tried:

Hi,
i have read this article:

Salted Password Hashing - Doing it Right[^]

and i understand that the best hash algorithm for asp.net webforms is PBKDF2-HMAC-SHA512
and then get this implementation:

GitHub - defuse/password-hashing: Password hashing code.[^]

this implementation is based on PBKDF2-HMAC-SHA1

i googled to find something that help me to make a hash based on PBKDF2-HMAC-SHA512

and i've found this library on github:

GitHub - therealmagicmike/PBKDF2.NET: Provides adaptive password-based key derivation (PBKDF2) functionality for the .NET Framework allowing the use of any System.Security.Cryptography.HMAC-based hashing implementation, whether it's a built-in type, or an implementation of your own.[^]
in this library i can define my hash algorithm as HMACSHA1, HMACSHA256, HMACSHA384 or HMACSHA512

and as you know HMACSHA1 is faster than HMACSHA512. and it's not good in security reasons.

But i've found something that i don't know it's true or not! i've implemented both algorithms in same page and understand that adriancs's algorithm takes longer time than the mike's. and it's not logical as for adriancs's article.

So, i want to know which algorithm is slowest and also wich is better?

any help will be appreciated.
Thank you, Masoud.

Posted 18-Nov-16 3:22am

Masoud__Sh

Updated 18-Nov-16 9:32am

Patrice T

v5

Add a Solution

Comments

[no name] 18-Nov-16 9:57am

"algorithm is better", would be the one that does what you want it do. That is for YOU to decide not asking random strangers on the internet that have no idea what you are doing.

Masoud__Sh 18-Nov-16 12:07pm

thank you so much. i'm sorry for bad questioning. yes you're right. i'm sure about using PBKDF2-HMAC-SHA512. but something that i don't know is, why Mike's solution when i'm using SHA1 is faster than adriancs's solution in same algorithm, salt size, and iteration count? adriancs's algorithm takes something about 40 milliseconds but Mike's algorithm takes 3 milliseconds. and it's not logical for same values.
Thank you, Masoud

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2016-11-18T04:00:00

Pretty much, SHA is the "Best" algorithm for hashing passwords, mostly because MD5 is officially "broken" and is not recommended for new applications. That doesn't mean MD5 is actually bad, just that there are circumstances where you can "reverse" the hash to produce an "enterable" password that will produce the same MD5 hash value as the original. The "new" password will probably not be recognisable as the "original" however.
SHA-1 is currently "broken" but not cracked, and SHA256 is "partly broken" but still considered secure for the moment. SHA512 is solid at present, so I'd use that for new projects.
SHA-3 is the "next generation" hash, but at present there is no verified implementation for .NET that I'm aware of.