asp.net: storing password Hash algorithm

Which hash algorithm works best wrt security?

SHA1 with variable salt

SHA2 with known 开发者_JAVA技巧salt

or MD5 with known salt

MD5 with varible salt

Of the ones you listed, SHA2 is the most secure on its face. But as between known and unknown salts, an unknown salt will always make your encryption exponentially more secure.

My membership provider (which is by no means perfect or the model for what anyone or everyone should do) uses SHA1 with a randomly generated salt at the time of user creation, with separate salts for password and security answer. Obviously you need to store these salts so they are known somewhere but once the user enters their password, its never seen again. If they change their password, I re-salt it and re-save it. I find this gives a good balance between secure hashing, a strong key, and the ability to easily match later without doing a lot of extra work.