I am developing an API project which will have users who will be registering and logging in and out of an mobile application. I will be developing this application using web API .net core 5. I want to handle the authentication of users via logging in based on a valid jwt token.
My question is which type of hashing is suitable for storing the hashed password in the database. Here are two types I have been looking at, which one is more secure?
//sha256 method from the system web helpers namespace
var hash1 = Crypto.SHA256("password");
//hashpassword from the system web helpers namespace
var hash2 = Crypto.HashedPassword("12345");
Both are from micorosft/.net libraries so I am under the impression that they are both secure, however I have noticed there are some websites have a decryption mechanism for sha256. I am edging towards the hashedPassword
method in the Crypto
class...
SHA256 uses the SHA256 algorithm while HashPassword uses RFC 2898.
As for the differences, have a look at this post.
You should opt for HashPassword
, as it automatically generates a salt for you. Also, the RFC 2898 is considered more secure, as it's intentionally slowed down, which makes it harder to brute-force.
Note: both are hashing algorithms, not encryption algorithms, so neither can be "decrypted" by definition.