tags:

views:

315

answers:

6
+1  Q: 

Using GetHashCode to "secure" users passwords

The company I work for has taken on a support contract for a large order processing system. As part of the initial system audit I noticed that the passwords stored in the database were actually the hashcode of the password.

Essentially:

string pwd = "some pasword";
string securePwd = pwd.GetHashCode();

My question is, how secure or otherwise is this?

I'm not comfortable with it, but I don't know enough about how GetHashCode works. I would prefer to use something like an MD5 hash, but if I'm wasting my time then I won't bother.

+1  A: 

GetHashCode returns a 32 bit integer as the hash value. Considering the birthday paradox, it's not a really acceptable hash value due to the relatively high probability of collisions. You'd probably want to go for SHA1, MD5, SHA2 or something really designed to handle such a task.

Mehrdad Afshari  2009-03-04 10:54:19
Aren't SHA1 and MD5 broken?
Mitch Wheat  2009-03-04 10:59:02
Depends on how you define broken. There are known methods to compute a value that collides (at least I'm sure of this case in MD5), but that doesn't make them useless. Even a salted MD5 is sufficient for storing passwords in most cases. Their "broken" attribute affects digital signatures much more.
Mehrdad Afshari  2009-03-04 11:04:53
Oh, that said, I do not, by any means, recommend using MD5 or SHA1. As Mitch said, go with SHA256 or higher hash algorithms. The whole point of my comment was with the "broken" thing. In encryption algorithms, broken = dead. But in hash algorithms there is a bit more gray area.
Mehrdad Afshari  2009-03-04 11:12:41
Thanks, that's kind of what I was thinking. I try to get the system moved over to SHA256.
ilivewithian  2009-03-04 16:15:03
Don't forget to add the salt. :)
Mehrdad Afshari  2009-03-04 16:32:59
+6  A: 

You should use a salted, cryptographically strong hash, such as SHA256Managed.

Jeff Attwood has a few good posts on this topic:

Rainbow Hash Cracking

You're Probably Storing Passwords Incorrectly

Mitch Wheat  2009-03-04 10:55:00
+2  A: 

It's not just insecure, but also subject to change:

http://netrsc.blogspot.com/2008/08/gethashcode-differs-on-systems.html

The value returned by GetHashValue for a given input has changed in the past.

There's no guarantee it will even be the same between different executions of the app.

stusmith  2009-03-04 10:58:09
A: 

GetHashCode was definitely not designed to be used in this way as the implementation does not guarantee different hash returns for different objects. This means that potentially multiple passwords could produce the same hash. It also isn't guaranteed to return the same hash value on different versions of the .NET framework meaning that an upgrade could potentially produce a different hash for the same string, rendering your passwords unusable to you.

It is recommended that you use a salted hash or even MD5 at a push. You can easily switch it to something within the Security.Cryptography namespace.

jamiei  2009-03-04 10:59:13
A: 

As others have said, GetHashCode isn't designed for what you're trying to do. There is a really excellent article on how to handle user passwords securely.

To summarise the article, you need to use either a relatively slow adaptive hashing scheme such as bcrypt, or alternatively the Stanford Secure Remote Password Protocol. I would suggest the former. And of course you should also use a salt.

RoadWarrior  2009-03-04 11:21:20
A: 

I'd recommend using BCrypt instead. As others have already said using GetHashCode for passwords isn't a good idea.

Quibblesome  2009-03-04 11:37:59

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?