I have read about how to implement security into a website using hashing, and I am not creating something terribly sensitive like a bank or storing credit cards. I would, however, like to know the best practices. My site has a TLS cert with AES 256
Main issues:
1.) Sending the hashed password hashed again through the session seems to be the only way I can think of to keep the session fairly secure. In my opinion, I don't really care if the user finds that value, but I would care if the user found some way to see the database and knew exactly what my encryption algo was.
2.) Should I just completely take out my algorithm prior to hashing the password, or should I use different hashing methods?
Is it okay to use sha512 prior or after bcrypt, since both of these are sound as far as collisions and brute force?