Menu
Commonly used hashing algorithms include Message Digest (MDx) algorithms, such as MD5, and Secure Hash Algorithms (SHA), such as SHA-1 and the SHA-2 family that includes the widely used SHA-256 algorithm.
The MD5 algorithm, defined in RFC 1321, is probably the most well-known and widely used hash function.
ASP.NET Core Identity and password hashingThe app will create a hash of the password, and store it in the database along with the user's details. A hash is a one way function, so given the password you can work out the hash, but given the hash you can't get the original password back.
It is just an extra “random” string to be added to your password strings before they are hashed. There are many common ways, some add salt to the end, some prepend it some do the both.
In light of the fact that googling "membership provider hashing algorithm" turns up this answer as the first result, and the gospel that will be inferred, it behoves me to warn folks about using the Membership Provider like this and using hashes like SHA-1, MD5 etc to obfuscate passwords in databases.
Use a key-derivation function like bcrypt, scrypt or (if you need FIPS compliance) PBKDF2 with a work factor sufficient to necessitate the hashing time for a single password to be as close to 1000ms or more.
Hashes are easy to brute force these days with ample examples of data breaches in recent history. To prevent your user's passwords from ending up on pastebin in the next hack, ensure that passwords are hashed with a function that takes a sufficiently long time to compute!
Instead of Membership Provider, try IdentityReboot or the newer implementations from Microsoft that Troy Hunt talks about at the least.
It's also interesting that on the same google results mentioned above I find a tutorial showing folks preciously how easy it is to brute force these password hashes using popular tools like JtR or Hashcat. On a custom GPU rig, SHA1 can be cracked at a staggering rate of 48867 million hashes per second! With a free dictionary like rockyou or the like, a motivated person with your database will very quickly have most of your users passwords. As a developer, it's your ethical responsibility to do what is necessary to protect the security of your users' passwords.
The default hashing is SHA1 but they also salt it and base64 it:
public string EncodePassword(string pass, string salt)
{
byte[] bytes = Encoding.Unicode.GetBytes(pass);
byte[] src = Encoding.Unicode.GetBytes(salt);
byte[] dst = new byte[src.Length + bytes.Length];
Buffer.BlockCopy(src, 0, dst, 0, src.Length);
Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
byte[] inArray = algorithm.ComputeHash(dst);
return Convert.ToBase64String(inArray);
}
If you want to know more about how to change it I still need to find out (unless using custom provider see below) however SHA-1 is pretty good for now. If you are looking to reverse it or lookup from this these guys did some work on that: http://forums.asp.net/p/1336657/2899172.aspx
This SO question will help in reversing or duplicating this technique if that is what might be needed. Reimplement ASP.NET Membership and User Password Hashing in Ruby
If you are making a custom provider you can create your hashing and encryption algorithms and methods.
private byte[] ConvertPasswordForStorage(string Password)
{
System.Text.UnicodeEncoding ue =
new System.Text.UnicodeEncoding();
byte[] uePassword = ue.GetBytes(Password);
byte[] RetVal = null;
switch (_PasswordFormat)
{
case MembershipPasswordFormat.Clear:
RetVal = uePassword;
break;
case MembershipPasswordFormat.Hashed:
HMACSHA1 SHA1KeyedHasher = new HMACSHA1();
SHA1KeyedHasher.Key = _ValidationKey;
RetVal = SHA1KeyedHasher.ComputeHash(uePassword);
break;
case MembershipPasswordFormat.Encrypted:
TripleDESCryptoServiceProvider tripleDes = new
TripleDESCryptoServiceProvider();
tripleDes.Key = _DecryptionKey;
tripleDes.IV = new byte[8];
MemoryStream mStreamEnc = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(mStreamEnc,
tripleDes.CreateEncryptor(),
CryptoStreamMode.Write);
cryptoStream.Write(uePassword, 0, uePassword.Length);
cryptoStream.FlushFinalBlock();
RetVal = mStreamEnc.ToArray();
cryptoStream.Close();
break;
}
return RetVal;
}
private string GetHumanReadablePassword(byte[] StoredPassword)
{
System.Text.UnicodeEncoding ue = new System.Text.UnicodeEncoding();
string RetVal = null;
switch (_PasswordFormat)
{
case MembershipPasswordFormat.Clear:
RetVal = ue.GetString(StoredPassword);
break;
case MembershipPasswordFormat.Hashed:
throw new ApplicationException(
"Password cannot be recovered from a hashed format");
case MembershipPasswordFormat.Encrypted:
TripleDESCryptoServiceProvider tripleDes =
new TripleDESCryptoServiceProvider();
tripleDes.Key = _DecryptionKey;
tripleDes.IV = new byte[8];
CryptoStream cryptoStream =
new CryptoStream(new MemoryStream(StoredPassword),
tripleDes.CreateDecryptor(), CryptoStreamMode.Read);
MemoryStream msPasswordDec = new MemoryStream();
int BytesRead = 0;
byte[] Buffer = new byte[32];
while ((BytesRead = cryptoStream.Read(Buffer, 0, 32)) > 0)
{
msPasswordDec.Write(Buffer, 0, BytesRead);
}
cryptoStream.Close();
RetVal = ue.GetString(msPasswordDec.ToArray());
msPasswordDec.Close();
break;
}
return RetVal;
}
http://msdn.microsoft.com/en-us/library/aa479048.aspx
The above answer by Ryan Christensen isn't complete. The part where it converts the salt to a byte[] isn't correct.
This is a working example that I've implemented in a solution for a client:
public string Hash(string value, string salt)
{
byte[] bytes = Encoding.Unicode.GetBytes(value);
byte[] src = Convert.FromBase64String(salt);
byte[] dst = new byte[src.Length + bytes.Length];
Buffer.BlockCopy(src, 0, dst, 0, src.Length);
Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
byte[] inArray = algorithm.ComputeHash(dst);
return Convert.ToBase64String(inArray);
}
The default hash algorithm type is SHA1. There are two ways that you can change this.
1) If you are working with IIS 7 you can update this using the "Machine Key" configuration (shown below). This allows you to choose the encryption method from a list of available options and specify the keys or the key generation options.
2) If you are working with IIS 6 you can change the hash algorithm type using the membership element in the web.config file:
<membership
defaultProvider="provider name"
userIsOnlineTimeWindow="number of minutes"
hashAlgorithmType="SHA1">
<providers>...</providers>
</membership>
According to the documentation the string value of the hashAlgorithmType attribute can be any of the provided .Net hashing algorithm types. A bit of digging shows that the valid values for ASP.Net 2, 3 and 3.5 are MD5, RIPEMD160, SHA1, SHA256, SHA384, SHA512. The important part here is that all these classes inherit from HashAlgorithm.
The value of the hashAlgorithmType attribute can also be an entry from the cryptoNameMapping element in the machine.config file. You could use this if you require a 3rd party hashing algorithm. The machine.config file can typically be found in C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG if you are using ASP.Net 2 or later. You can read more about setting these values here.
The default hash algorithm changed to HMACSHA256 in the .NET 4.0 Framework.
Note that unlike SHA-1, HMAC SHA-256 is a keyed hash. If your hashes are behaving non-deterministically, you probably haven't set a key, forcing it to use a random one. Something similar to the following would be the culprit (which is what I just spent an hour figuring out :p ).
HashAlgorithm.Create(Membership.HashAlgorithmType)
If you wish to have it work with an existing provider you can revert it back to the former defaults using this guide.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With