Closed looking-promising closed 8 years ago
I've been looking at this code today, so thought I'd take stab at answering. Disclaimer - newbie to membershipreboot and to security in general.
HashPassword
method returns a base64 encoded byte array of the salt + the calculated hash. If you just looked at the first bit of the hashed value in the database, it might appear they are the same however.. see point 2 as to why.HashPassword
in BrockAllen.MembershipReboot/Crypto/DefaultCrypto.cs you can see that the string returned (that ends up being persisted) is the iterationCount + PasswordHashingIterationCountSeparator + Hashed Password (salt + hash).As for suggested reading, me too!
what @nicholas-brooks said :)
and to clarify -- each hashed password should be different because of the salt.
Thanks @nicholas-brooks. Your explanation makes perfect sense (and is blatantly obvious in retrospect given the referenced code) and clarifies both of my questions. I'm sure that when I visually compared two different hashes for the same password, they looked the same when in fact they were not.
I'm not completely clear on the password hashing algorithm. I know @brockallen has written about it in his blog but w/ my primitive understanding of the hashing crypto, I don't understand 2 things:
I'm happy to do additional reading on the subject if anyone has link or book suggestions.
Thanks.