Tutorial :Using GetHashCode to “secure” users passwords



Question:

The company I work for has taken on a support contract for a large order processing system. As part of the initial system audit I noticed that the passwords stored in the database were actually the hashcode of the password.

Essentially:

string pwd = "some pasword";  string securePwd = pwd.GetHashCode();  

My question is, how secure or otherwise is this?

I'm not comfortable with it, but I don't know enough about how GetHashCode works. I would prefer to use something like an MD5 hash, but if I'm wasting my time then I won't bother.


Solution:1

GetHashCode returns a 32 bit integer as the hash value. Considering the birthday paradox, it's not a long enough hash value due to the relatively high probability of collisions, even if it were explicitly designed to be collision resistant, which is not.

You should go for SHA256 or another cryptographically secure hash function designed to handle such a task.

To store passwords, just using a simple hash function is not enough. You should add some random "salt" per user and iterate enough times so that it would be computationally expensive to brute force. Therefore, you should use something like bcrypt, scrypt, PBKDF2, with a large number of iterations.


Solution:2

You should use a salted, cryptographically strong hash, such as SHA256Managed.

Jeff Attwood has a few good posts on this topic:

Rainbow Hash Cracking

You're Probably Storing Passwords Incorrectly


Solution:3

It's not just insecure, but also subject to change:

http://netrsc.blogspot.com/2008/08/gethashcode-differs-on-systems.html

The value returned by GetHashValue for a given input has changed in the past.

There's no guarantee it will even be the same between different executions of the app.


Solution:4

I'd recommend using BCrypt instead. As others have already said using GetHashCode for passwords isn't a good idea.


Solution:5

GetHashCode was definitely not designed to be used in this way as the implementation does not guarantee different hash returns for different objects. This means that potentially multiple passwords could produce the same hash. It also isn't guaranteed to return the same hash value on different versions of the .NET framework meaning that an upgrade could potentially produce a different hash for the same string, rendering your passwords unusable to you.

It is recommended that you use a salted hash or even MD5 at a push. You can easily switch it to something within the Security.Cryptography namespace.


Solution:6

As others have said, GetHashCode isn't designed for what you're trying to do. There is a really excellent article on how to handle user passwords securely.

To summarise the article, you need to use either a relatively slow adaptive hashing scheme such as bcrypt, or alternatively the Stanford Secure Remote Password Protocol. I would suggest the former. And of course you should also use a salt.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »