If you have to develop a secure solution you make some research and choose what you think is a good solution (and if it is something outside your field you study/ask).
In 2001 I've to implement a secure solution for a mobile platform, I choose Rijndael (them picked by NIST for AES). My previous knowledge of encryption algorithm was near zero.
And then if you make the wrong decision, on something important as security for a public website, over the years you iterate (come on, till 2003 nobody internally thought it was a must to fix this mess?).
> If you have to develop a secure solution you make some research and choose what you think is a good solution (and if it is something outside your field you study/ask)
If everyone did this we wouldn't have these discussions so often. The problem is that people think they know about crypto, and think they know what they're doing, and probably won't believe otherwise until they get smashed wide open like this. This applies to almost all areas of knowledge, it's just particularly damaging in crypto as it's arcane and very sensitive to changes, often in very subtle ways.
It's worse than that - I admit I know very little about crypto.
So when it comes to implementing a password storage system I read up a bit, get confused, ask a couple of people and get different answers back.
It's the "get confused" bit that's dangerous. As you say, the differences are quite subtle and (for me at least) when they are being explained make perfect sense, but ten minutes later have become an uncrackable cipher all of their own.
I'm not sure what advice to give you. You commonly see advice to outsource your security, to other libraries, the idea being these are more likely to be correct than you. However, there have been some pretty high profile mistakes in common crypto libraries too! If there's anything specific you have in mind, I'd be happy to field questions (and hopefully other HN users will correct me in the event I'm wrong!)
What is it being used for, and how is it being used? I'm guessing this is password hashes. Is rails using a unique salt for each password?
Bcrypt is slower than SHA512, in fact it can be made to be very slow. This is actually ideal for password hashes, it doesn't matter if it takes your server 50 milliseconds to calculate a password hash but that would severely slow down an attack.
It is important however that they are being used correctly. Either would be a good solution if properly salted.
If you have to develop a secure solution you make some research and choose what you think is a good solution (and if it is something outside your field you study/ask).
In 2001 I've to implement a secure solution for a mobile platform, I choose Rijndael (them picked by NIST for AES). My previous knowledge of encryption algorithm was near zero.
And then if you make the wrong decision, on something important as security for a public website, over the years you iterate (come on, till 2003 nobody internally thought it was a must to fix this mess?).