Is there standard way to generate Password Hash with Microsoft?

Question

Is there standard way to generate Password Hash with Microsoft development tools? Or maybe there is most common way. (I have read that there is MD5, STA1)

Unfortunately I don't have server's source code, but have to consume SOAP web-services. The must be some algorithm to generate hash code. I need to implement it using Java or using some library.

Here is part of SOAP request that I need send to server. Look at oldPasswordHash.

- <ChangePassword xmlns="urn:____________">
  <sessionGUID>{864da5f3-21b6-486a-8bd3-c507ae3d224e}</sessionGUID> 
  <oldPasswordHash>089ad55bd0a8f6d3c2e2bbf0e4e1475c7e984ef1</oldPasswordHash> 
  <newPasswordHash>f4a69973e7b0bf9d160f9f60e3c3acd2494beb0d</newPasswordHash> 
  </ChangePassword>

Answer 1

As for hash algorithm, you need a cryptographic hash function, that is a hash function that is (for all intents and purposes) impossible to reverse. Be also aware that there exist files (and indeed websites) that strive to calculate every hashcodes for every string and publish these so called Rainbow Tables. (SHA256 seems like a good choice to me.)

As for programmatic generation, look at System.Security.Cryptography in .NET.

As for tooling to create hashes, I know of nothing that comes with Windows. Obviously you can use the GNU tooling via Cygwin (or the like) or search for a command-line tool for the algorithm you have chosen.

Answer 2

Cygwin for windows provides command line hashing tools such as sha1sum in its coreutils package that can easily compute a hash for you. The Bouncy Castle libraries would provide implementations of most common hash algorithms in both Java and .NET.

The sample XML doesn't say much. The strings are hex, 40 chars in length which is 20 bytes or 160 bits. That may mean it's SHA-1 (which is 160 bits) but not necessarily. In addition, how did it generate a hash from the password. Was the password plaintext, plaintext with some salt, plaintext mixed with some other hash etc. I guess if you install sha1sum first from the command line, you can see what happens if you feed the password into it. You might get lucky and discover what it's doing. Then you can proceed to code up the equivalent with Bouncy Castle.

Answer 3

These are SHA1 hashes of the unsalted passwords.

f4a69973e7b0bf9d160f9f60e3c3acd2494beb0d is the SHA1 hash of Passw0rd!.

The fact that I was able to reverse one of the hashes with a rainbow table service demonstrates that hashing of passwords without salting is very insecure.

In C# you can reproduce the implementation like this:

public static string Hash(string value)
{
   var sha = new System.Security.Cryptography.SHA1CryptoServiceProvider();
   byte[] hash = sha.ComputeHash(Encoding.ASCII.GetBytes(value));
   return BytesToHex(hash).ToLower();
}

private static string BytesToHex(byte[] bytes)
{
   return String.Concat(Array.ConvertAll(bytes, x => x.ToString("X2")));
}

For a java version, take a look at the first google hit for "sha1 java".