Hi,
From what I understand, the greater the key length, the greater the security
That's not correct. You can use a polyalphabetic cipher with a key length of 8000 bits, it remains insecure. On the otherside you can use e.g. Blowfish with a 80 bit key, it's much more secure than your polyalphabetic cipher.
And: Hash algorithm have nothing to do with keys or encryption.
Basically (I think) it means there are 4+ billion different possibilities, which is a lot to brute force, even for a super computer or cluster of computers.
4 billions different possiblilites are also for the cpu in a modern mobile phone ridiculous. On a modern pc, you just needs arround 100-200 seconds to test 4 billion md5/sha1 combinations. So, 4 billion (or 2^32) are an incredible small number in terms of cryptography.
even if you could brute force 10000/second (which is damn fast considering the complexity of code required to brute force)
A modern cpu have a rate of 50 million md5/sha1/sha2 hashs per second. If you additional use your GPU (graphics processing unit) of e.g. GeForce 8, the rate would be 10 up to 25 times higher. So a rate of 200-300 million hashs per seconds isn't unrealistic (
ElcomSoft can reach it)
If you use now multiple computers or if you use your GPU (graphics processing unit)
So while 256 might seem less than 512 (it's because it is) there is little point, unless you are a terrorist and wish to hide details from the gov't, which is why most encryption applications will not allow you to go above 512.
256 bits (which means 2^256 possible keys, or arround 100 trillion vigintillion keys (~10^77 keys)) are with brute force unbreakable.
If you construct a pc which should solve this problem in 1 year, and you can use each atom as a single decipher unit with a clock rate of 10^15 Hz (which means hard X-Rays), this computer whould be so heavy that you create a black hole...
Back to topic:
So I'm asumming sha512 is better than sha384 and the later is better than sha256. According to this there are better ones than sha512...why use sha256 when sha512 is better?
SHA512 isn't better than SHA256 and SHA256 isn't better than SHA-1. It isn't that easy.
If you wanna hash the password of an user and save it in a database, SHA1 is the right choise. To choose there SHA-2 do not increase your security (at the moment).
But:
Just to save sha1('password from user'); in the database isn't sufficient and sha256 or sha512 do not help here.
You can create so called rainbow tables, which can speed up the cracking of many password hashes enormously.
So at minimum you have to use a random
Salt, so that pre calculated rainbow tables won't work.
The seconds step should then be to use a
key strengthing mechanism.
For more information read this article:
Password hashing howto and hownotto
Personally I can recommend the following class to save your passwords in a safe way:
Improved Hash Algorithm