sha-512 is a hash algorithm from the sha-2 family.

In a head-on brute force attack (which nobody will try) the hash is 2^256 times stronger than sha-256 (that's a lot).
But it shares all weaknesses with the other SHA-2 family members.

What I would do:
- sha-256 is really good enough for now - be ready to move to sha-3 once it is chosen
- by all means add a long salt - storing password hashes that are unsalted is almost criminal as it exposes you to rainbow table attacks.

You seem to send the hash of a password over the wire ? You do realize that any eavesdropper along the way now has the hash of the password and that that's plenty to get authenticated without knowing the password itself.

I'd stick to standard mechanisms intead of trying to build your own solution out of building blocks - in crypto you fail instantly if you try to do that.

I sure feel like a Bozo having asked that question--not a matter of "what was I thinking" but purely a case of not thinking. Appears I'm going to have to resort to SSL if I want to protect passwords.

Actually: don't feel bad, you'd be amazed how many actually deployed and installed systems out there contain basic errors.

It doesn't help that almost every example in almost every tutorial makes bad choices security wise. We're setting up the world for failure that way...