hashing passwords

Dino M. Buljubasic · Oct 22, 2003

Hi,

I am using MD5 to hash my passwords and add them to database as hashed.
I have noticed though that some passwords don't get recognized and I suppose
that it happen because hashing might introduce some characters in my
password that are not handled properly by SQL server then.

For example, password 'startreck' works just fine
password 'test' does not

Anybody knows how can I fix this problem?

Any help will be greatfully appreciated
Dino

Herfried K. Wagner [MVP] · Oct 22, 2003

* "Dino M. Buljubasic said:
I am using MD5 to hash my passwords and add them to database as hashed.
I have noticed though that some passwords don't get recognized and I suppose
that it happen because hashing might introduce some characters in my
password that are not handled properly by SQL server then.

For example, password 'startreck' works just fine
password 'test' does not

Anybody knows how can I fix this problem?

How do you calculate the hash code?

Dino M. Buljubasic · Oct 22, 2003

Hi Herfried,

thanks for your respond. I am using MD5 hashing, here is the code:

Public Function GenerateMD5Hash(ByVal strInput As String) As String

Dim md5Provider As MD5

' generate bytes for the input string
Dim inputData() As Byte = ASCIIEncoding.ASCII.GetBytes(strInput)

' compute MD5 hash
md5Provider = New MD5CryptoServiceProvider()
Dim hashResult() As Byte = md5Provider.ComputeHash(inputData)

Return ASCIIEncoding.ASCII.GetString(hashResult)

End Function

because this hashing may intro apostrophy, I also handle that by replacint a
' with '' (apostrophy with double appostrophy) and that gets handled well.
However, from some reason some passwords don't get found in my database
although they are there and I guess it is because some invalid characters
besid appostrophy get introduced but I am not sure.

Appreciate your help,
Dino

--

-------------------------------------------------------------------------
FIGHT BACK AGAINST SPAM!
Download Spam Inspector, the Award Winning Anti-Spam Filter
http://mail.giantcompany.com

_Andy_ · Oct 22, 2003

Hi Herfried,

thanks for your respond. I am using MD5 hashing, here is the code:

Public Function GenerateMD5Hash(ByVal strInput As String) As String

Dim md5Provider As MD5

' generate bytes for the input string
Dim inputData() As Byte = ASCIIEncoding.ASCII.GetBytes(strInput)

' compute MD5 hash
md5Provider = New MD5CryptoServiceProvider()
Dim hashResult() As Byte = md5Provider.ComputeHash(inputData)

Return ASCIIEncoding.ASCII.GetString(hashResult)

End Function

because this hashing may intro apostrophy, I also handle that by replacint a
' with '' (apostrophy with double appostrophy) and that gets handled well.
However, from some reason some passwords don't get found in my database
although they are there and I guess it is because some invalid characters
besid appostrophy get introduced but I am not sure.

Appreciate your help,
Dino

I had similar problems a while ago - the cause turned out to be
character encoding in the database. My solution (and one which I apply
to all databases & models) is to produce an ASCII-friendly (actually,
7-bit) verion of the hash. Basically, I just use the hex digits of
each of the bytes.
And remember to mix the user ID with the password when generating the
hash (I suppose it goes without saying, but I've seen it a hundred
times!)

Rgds,

Tom Spink · Oct 22, 2003

Try Base64 Encoding the hash, before you store it in the database. When the
time comes to verify the hash, Base64 Decode the data, and you get the hash
back to compare it with.

--
HTH,
-- Tom Spink, Über Geek

Please respond to the newsgroup,
so all can benefit

" System.Reflection Master "

==== Converting to 2002 ====
Remove inline declarations

Dino M. Buljubasic said:
Hi Herfried,

thanks for your respond. I am using MD5 hashing, here is the code:

Public Function GenerateMD5Hash(ByVal strInput As String) As String

Dim md5Provider As MD5

' generate bytes for the input string
Dim inputData() As Byte = ASCIIEncoding.ASCII.GetBytes(strInput)

' compute MD5 hash
md5Provider = New MD5CryptoServiceProvider()
Dim hashResult() As Byte = md5Provider.ComputeHash(inputData)

Return ASCIIEncoding.ASCII.GetString(hashResult)

End Function

because this hashing may intro apostrophy, I also handle that by replacint a
' with '' (apostrophy with double appostrophy) and that gets handled well.
However, from some reason some passwords don't get found in my database
although they are there and I guess it is because some invalid characters
besid appostrophy get introduced but I am not sure.

Appreciate your help,
Dino

--

-------------------------------------------------------------------------
FIGHT BACK AGAINST SPAM!
Download Spam Inspector, the Award Winning Anti-Spam Filter
http://mail.giantcompany.com

Dino M. Buljubasic · Oct 22, 2003

Can you give me an exasmple how to do that?

Thank you,
Dino

Dino M. Buljubasic · Oct 22, 2003

I never used Base64 before. I'll do some research on that but meanwhile,
can you give me a simple example of how to use it.

Thanks,
Dino

--

-------------------------------------------------------------------------
FIGHT BACK AGAINST SPAM!
Download Spam Inspector, the Award Winning Anti-Spam Filter
http://mail.giantcompany.com

Tom Spink said:
Try Base64 Encoding the hash, before you store it in the database. When the
time comes to verify the hash, Base64 Decode the data, and you get the hash
back to compare it with.

--
HTH,
-- Tom Spink, Über Geek

Please respond to the newsgroup,
so all can benefit

" System.Reflection Master "

==== Converting to 2002 ====
Remove inline declarations

Dino M. Buljubasic said:

Hi Herfried,

thanks for your respond. I am using MD5 hashing, here is the code:

Public Function GenerateMD5Hash(ByVal strInput As String) As String

Dim md5Provider As MD5

' generate bytes for the input string
Dim inputData() As Byte = ASCIIEncoding.ASCII.GetBytes(strInput)

' compute MD5 hash
md5Provider = New MD5CryptoServiceProvider()
Dim hashResult() As Byte = md5Provider.ComputeHash(inputData)

Return ASCIIEncoding.ASCII.GetString(hashResult)

End Function

because this hashing may intro apostrophy, I also handle that by

Click to expand...

replacint

Fergus Cooney · Oct 22, 2003

Hi Dino,

I'd take the output from "test" and stick a load of strings based on it
into the DB by hand to determine exactly which was giving the trouble. Then
I'd generate other test cases using a loop.

One possible workaround is to add an extra level of encoding:
Return System.Web.HttpUtility.UrlEncode _
(ASCIIEncoding.ASCII.GetString(hashResult))

But you must do that testing first because UrlEncode might not get <every>
character that causes trouble.

Regards,
Fergus

Dino M. Buljubasic · Oct 22, 2003

The problem is that I can not do that because some of the characters
generated by hash do not exist on the keyboard and there is no way to know
which ones are they anyways because they don't even get displayed properly.

I tried removint all non letters and non digits from the hashed password and
then trying to log on but it still does not work even though my query shows
the entries in database. E.g. for password 'test', I get someting like say
'asdfg' after hashing it and removing all non leters and non digits.

Then my query SELECT blah, blah FROM Table WHERE password = 'asdfg' still
does not finds it even though it is exactly how it is stored in DB.
Wired!!!

Thanks GG

--

-------------------------------------------------------------------------
FIGHT BACK AGAINST SPAM!
Download Spam Inspector, the Award Winning Anti-Spam Filter
http://mail.giantcompany.com

_Andy_ · Oct 22, 2003

Can you give me an exasmple how to do that?

Thank you,
Dino

Sorry, missed your post. Something like this:

Public Shared Function CreateHashedBlock(ByVal oUserID As String,
ByVal oPassword As String) As String
Dim oValue As String = oUserID & oPassword
Dim oMD5 As New
System.Security.Cryptography.MD5CryptoServiceProvider()
Dim oBuffer() As Byte
oBuffer =
oMD5.ComputeHash(System.Text.Encoding.ASCII.GetBytes(oValue))
Dim oOutputText As String
Dim oByte As Byte
For Each oByte In oBuffer
If oByte < 16 Then
oOutputText = oOutputText & "0" & Hex(oByte)
Else
oOutputText = oOutputText & Hex(oByte)
End If
Next
Return oOutputText
End Function

Mario · Oct 23, 2003

Hi,

You guys have no excuse for asking the same mumbo-jumbo over-and-over before
making a simple search.
That is a beginner issue, very easy to find on Google or something.

Once again, I will quote my own text in this newsgroup:

«It's a common (newbie) misunderstanding, about storing ciphertext [or hash
values, or random data] as
strings. The point is you shouldn't. Converting a buffer into a string and
vice-versa is called Text encoding and decoding. There are several encoding
schemes (Ascii, Unicode, UTF8, etc). Each ciphertext byte can range from 0
to 255. Encoding schemes do NOT preserve all those unique values. And a
single wrong byte is enough to make decryption [or string to bytes again]
impossible.

You should always store and handle ciphertext as a buffer (array of bytes).
If you really need to store it as a string [for instance for a database]
then you need to get a Base
encoding representation of the buffer (hexadecimal, or Base64/Mime). You can
create your own Base encoding functions or use framework
System.Convert.ToBase64(buffer).»

So Dino, in you code, replace that bogus "Return
ASCIIEncoding.ASCII.GetString(hashResult)" with the correct:

Return Convert.ToBase64String(hashResult)

Of course you will use another function to decode from Base64String into
bytes array. Just saying this before you ask:

Dim hashResult() As Byte = Convert.FromBase64String(base64hash)

Regards,
Mario

hashing passwords

Dino M. Buljubasic

Herfried K. Wagner [MVP]

Dino M. Buljubasic

_Andy_

Tom Spink

Dino M. Buljubasic

Dino M. Buljubasic

Fergus Cooney

Dino M. Buljubasic

_Andy_

Mario