Hashing Passwords

[dj4uk]

Hi

I'm using the following C# code to hash a password before it is stored in a database.

Code:

	public static string Encrypt(string cleanString)
		{
		Byte[] clearBytes = new UnicodeEncoding().GetBytes(cleanString);
		Byte[] hashedBytes = ((HashAlgorithm) CryptoConfig.CreateFromName("MD5")).ComputeHash(clearBytes);

		return BitConverter.ToString(hashedBytes);
	}

When someone logs in I hash the password entered and compare against the stored hashed password.

Now this seems to work in most cases but every so often the hashed passwords don't match!

Just wondering if there is a salt or anything similar that might be setup somewhere e.g. machine.config.

This is all on a shared server so it is possible the host is changing something somewhere that I don't know about.

Help!

DJ

[ntg]

The code seems right to me. One thing though, are you using that with ASP.Net? If so, could the posted password change of a user change depending on OS default locale and browser settings?

[Polariss]

I dont have the locale problem. I have had the problem where some characters would just not work. They were considered escape characters in SQL server so it would not write the hash as a string. This happened to me when a person entered a password that started with a h. All I knew is that a hash was generated and it was consistent everytime however, it generated an escape sequence the first three characters or so. Luck of the draw I suppose. A hash should never use different hashes for the same value. Even with using MD5 to hash. Message Digest v 5 should have enough juice to not have to rehash same passwords over again. Try around 20 different passwords and see what you get when you repeat them. Post the number of times the passwords came out the same and the number of times it came out different. What I might could tell you is that you might be like me and figure out that you are using some illegal sequence somewhere. And then tell your users not to have a password that starts with a h lol.

Pol