I’m building a site where security is somewhat important (then again, when is it not important?) and I was looking for the best way to store my passwords. I know that MD5 has issues with collisions as well as SHA-1, so I was looking into storing my passwords via either SHA-256 or SHA-512.
Is it wiser to store a longer hash variant as opposed to a smaller one? (ie 512 vs 256) Does it take significantly more time to crack a SHA-512 encoded password versus a SHA-256 encoded password?
Also, I’ve read about using “salts” for the passwords. What is this and how does it work? Do I simply store the salt value in another database field? How do I use that as a part of the hash value calculation?
For password storage, you need more than a mere hash function; you need:
So you need bcrypt.
For the point of the hash output size: if that size is n bits, then n shall be such that an attacker cannot realistically compute the hash function 2n times; 80 bits are quite enough for that. An output of 128 bits is thus already overkill. You still would not want to use MD5, because it is way too fast (100000 nested invocations of MD5 might be slow enough, though) and because some structural weaknesses have been found in MD5, which do not directly impact its security for hashing passwords, but are bad public relations nonetheless. Anyway, you should use bcrypt, not a homemade structure.