i am working in a startup company providing software services and recently we have set security standards for encryption. For hashing, the standards that were set was we should use SHA-512 or SHA-256.
For Java, We are considering using Bcrypt of Spring or Argon2. Actually reading their documentations, can't find any information if their underlying algorithms are using SHA-512 or SHA-256 or something else?
or are these both outdated algorithms for hashing and we should use something else?
Can anyone help me on this?
When you are referring to "security standards for encryption" I'm assuming that you are talking about storing passwords, so I'll write about using "SHA", "BCRYPT" and "ARGON2I" to secure passwords, I'll mention disadvantages and vantages between "SHA" and "BCRYPT/ARGON2I" algorithms.
None of the "SHA" algorithms are designed for hashing passwords, they are fast algorithms making them easy to compute. For example: They are used for cryptocurrency encryption because they don't encrypt a single word or a short combination of characters, they encrypt a large file containing the currency making it hard to guess the hashed file.
In the other hand hashing methods like "BCRYPT" and "ARGON2I" are made for storing passwords, one of the key differences from "SHA" is that they are slow algorithms meaning that in order to hash a word it can take a full second if configured correctly (because of the cost of the hash). This means that the time the attacker has to invest in hashing the word that is trying to compare is the same as the word that is hashed (in this example I'm giving 1sec per hash). This dramatically increase up the time that the attacker has to invest in order to match the hashes, making your stored files more secure.
If you want to hash passwords it's recommended to implement slow hashing algorithms, if you want to hash long files it's recommended to implement fast hashing algorithms.
Responding to your last question... Neither "BCRYPT" nor "ARGON2I" are outdated hashing methods. BCRYPT is more reliable in my opinion because of the time it has been on the market, it was released in 1999 and the developers that programmed it are updating it until nowadays. The same happens with "ARGON2I" but it's a newer algorithm (it was created on 2015) meaning that it isn't as tested as "BCRYPT", however it is said that "ARGON2I" is more secure than "BCRYPT" but vulnerabilities could be found forthcoming.
If you notice that I'm speaking about "ARGON2I" and not "ARGON2" is because there are various versions of the algorithm and "ARGON2I" is the one designed for hashing passwords.
These are the links from both slow algorithms Wikipedia and source code in GitHub.
Wikipedia of bcrypt
Wikipedia of argon2
GitHub of bcrypt
GitHub of argon2