ASP.NET Hashed PW's + Salt Confusion

Question

I am following the MSDN article located here: http://msdn.microsoft.com/en-us/library/aa302398.aspx

My confusion is over the function:

private static string CreatePasswordHash(string pwd, string salt)
{
  string saltAndPwd = String.Concat(pwd, salt);
  string hashedPwd = 
        FormsAuthentication.HashPasswordForStoringInConfigFile(
                                             saltAndPwd, "SHA1");
  hashedPwd = String.Concat(hashedPwd, salt);
  return hashedPwd;
}

My understanding is that: 1. concat the salt and the plain text pwd 2. created a hashed pass using sha1 3. Concat the salt once again with the hashed pwd which originally had the salt in it???

What is the reasoning behind step 3? I found a function identical to the MSDN one else where and it omits the last concat.

I just do not understand why the MSDN version has the last concat operation in there.

Answer 1

It's storing the salt with the hashed password so that you can simply extract the whole thing from the configuration file (or wherever you store it), grab the salt off the end, hash the incoming password with it, and compare the results to the hashed password from the configuration. If you don't store the salt with the hashed password in the configuration, you'd have to store it somewhere else and extract it from there to hash incoming passwords when you perform the test. Since SHA1 is a fixed 160 bits (20bytes), it's easy to grab the salt by simply skipping the first 20 characters in the hashed password in the configuration.