none
Is it possible to get to the password in the aspnet_Membership table using a string that has been hashed with SHA1? RRS feed

  • Question

  • Hello,

    I have a question about the passwords generated in the aspnet_Membership table. If I'm not mistaken then the default hash algorithm used is SHA1 with a randomly generated salt value using the below function:

    public string EncodePassword(string pass, string salt)
     {   
      byte[] bytes = Encoding.Unicode.GetBytes(pass);
      byte[] src = Encoding.Unicode.GetBytes(salt);
      byte[] dst = new byte[src.Length + bytes.Length];
      Buffer.BlockCopy(src, 0, dst, 0, src.Length);
      Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
      HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
      byte[] inArray = algorithm.ComputeHash(dst);
      return Convert.ToBase64String(inArray);
     }

    My question may seem very strange but please bear with me :-)

    Let's imagine that my plain text password is 'my_password'. For the sake of simplicity let's say that .NET generates the following hashed values in the aspnet_Membership table:

    Password: 'my_password_final', PasswordSalt: 'my_password_salt'.

    Imagine that the below function...

    SHA1

     

     

    myHash = new SHA1CryptoServiceProvider();

     

     

    byte[] bytes = myHash.ComputeHash(Encoding.Unicode.GetBytes("my_password"));

    string passwordSha1 = Convert.ToBase64String(myHash.Hash);

    ...yields an encrypted value of 'my_password_sha1'.

    Is it in any way possible to come to 'my_password_final' using 'my_password_sha1' and 'my_password_salt'? In other words: is it possible to compute the same hashed value in the aspnet_Membership table, i.e. 'my_password_final, using a string that has been hashed with SHA1 and knowing the value of PasswordSalt? My first guess is 'no' but I need the advice of somebody more familiar with security and cryptography.

    The reason for this question is that we have a large .NET site with many users whose passwords are stored using the built-in .NET security features. We're trying to 'connect to the outside world' with a WCF web service and the first company that wants to hook up to our system works in a different environment with limited security and cryptography resources.

    Thanks for your help,

    Andras

    Friday, February 11, 2011 7:22 AM

Answers

  • Andras,

     

    There is no way to recover your 'my_password_final' using 'my_password_sha1' and 'my_password_salt' if you generated the password using a hash except by brute-force methods.  You may recover the encrypted password if you chose to use an encrypting methodology instead of hashing methodology generating the password.  Please see the following article for more details.

     

    http://www.codeproject.com/KB/recipes/StoringPasswords.aspx

     

    All the best,

     

    Roger

    • Proposed as answer by Psalm3_3 Friday, February 11, 2011 8:44 PM
    • Marked as answer by andras1979 Monday, February 14, 2011 12:11 PM
    Friday, February 11, 2011 8:44 PM

All replies

  • Andras,

     

    There is no way to recover your 'my_password_final' using 'my_password_sha1' and 'my_password_salt' if you generated the password using a hash except by brute-force methods.  You may recover the encrypted password if you chose to use an encrypting methodology instead of hashing methodology generating the password.  Please see the following article for more details.

     

    http://www.codeproject.com/KB/recipes/StoringPasswords.aspx

     

    All the best,

     

    Roger

    • Proposed as answer by Psalm3_3 Friday, February 11, 2011 8:44 PM
    • Marked as answer by andras1979 Monday, February 14, 2011 12:11 PM
    Friday, February 11, 2011 8:44 PM
  • Hi Roger,

    thanks for your explanation, I suspected this outcome.

    Best regards, Andras

    Monday, February 14, 2011 12:12 PM