Re: using md5 but want sha-1

• From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 31 Jan 2006 18:36:27 +0000 (UTC)

but instead of storing a simple hash - you want salted hashes [0]

use System.Security.PasswordDeriveBytes for that [1].

[0] http://www.aspheute.com/english/20040105.asp
[1] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemsecuritycryptographypasswordderivebytesclasstopic.asp

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi,

I'm using
MD5CryptoServiceProvider md5Hasher = new MD5CryptoServiceProvider();
byte[] hashedDataBytes;
UTF8Encoding encoder = new UTF8Encoding();
hashedDataBytes =
md5Hasher.ComputeHash(encoder.GetBytes(strPassword));
I notice there is a SHA1CryptServiceProvider By the way, I'm using 1.1

Is that what you mean with managed. Is this from
System.Security.Cryptography?
Which docs where you refereing too?
Thanks
"Dominick Baier [DevelopMentor]" wrote:

Hi,

first of all - SHA1 is a hashing algorithm -  no encryption. Hashing
is a non-reversible process, which is fine for passwords.

The corresponding class is called SHA1Managed - i would recommend
moving to SHA256Managed if you can.

Both support a ComputeHash method that takes a byte[] and returns a
byte[].

Especially for passwords i would recommend using PasswordDeriveBytes
(1.1) or Rfc2898DeriveBytes (2.0).

have a look at them in the docs - if you have further questions -
feel free to ask.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi,
I was reading that md5 is not that secure and that sha-1 or
whilpool or
ripemd-160 were better solutions. I'm using asp.net and I want to
encrypt the
password. Where can I find a sample code for that with sha-1. I
can't
seem to find one.
Thanks
Francisco

.

• References:
  • Re: using md5 but want sha-1
    • From: Frank

• Prev by Date: Re: using md5 but want sha-1
• Next by Date: Re: Form Authentication
• Previous by thread: Re: using md5 but want sha-1
• Next by thread: Re: Form Authentication
• Index(es):
  • Date
  • Thread

Relevant Pages Re: Securing static files ... Dominick Baier - DevelopMentor ... they are kicked back to the login page. ... The user may log in with other credentials. ... (microsoft.public.dotnet.framework.aspnet.security) Re: How to determine if the logged on user is in a group ... Dominick Baier - DevelopMentor ... I found that you to reboot the SERVER after you create a new group and put users in it so that the new group and the users appear in the whoami list on the server. ... although he is a member of these groups. ... (microsoft.public.dotnet.security) Re: HOWTO: Prevent Dynamic Loading of internal Types ... Dominick Baier - DevelopMentor ... Henning Krause ... I could get the public key from the entry assembly via ... (microsoft.public.dotnet.security) Re: How to call Web Service Securely ... which .net version - which type of authentication (username/password against a db??) ... Dominick Baier - DevelopMentor ... make a web method via dialup to my IIS Web Service. ... (microsoft.public.dotnet.framework.aspnet.security) Re: ASP.NET 2.0 Authorization Roles..Got Solution. ... the only difference is see with the provider and a normal WindowsPrincipal is, that the machine name for local groups gets stipped out. ... Dominick Baier - DevelopMentor ... I never used WindowsTokenRoleProvider earlier. ... (microsoft.public.dotnet.framework.aspnet.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint