what is hashing?
Hashing is a common method for storing passwords. The hash value of a password is calculated by applying
a mathematical function (hash algorithm) to it. The essential property about the hash algorithm is that you
can’t obtain the original password from its hash value (the algorithm is one-way).
Hashing is different from encryption in that it can’t be undone, whereas encrypted data can be decrypted
given the correct decrypt key is known. With hashing, even if some unauthorized person gets access to the
database, he or she won’t be able to find out the stored passwords (in practice, scientists have found vulnerabilities
with the popular MD5, SHA-0, and SHA-1 hashing algorithms—
see
http://www.broadbandreports.com/shownews/52284).
User passwords are stored in hashed form, so when the user tries to authenticate, the entered password
is hashed, and the resulted hash value is compared to the hash value of the original (correct) password. If the
two values are identical, then the entered password is the correct one.
You can store the hashed versions of user passwords directly in web.config (although in this chapter
you’ll use a new ASP.NET 2.0 technique that uses the database for storage). To calculate the hash value of a
password for storing in web.config, you can use the very intuitively named function
FormsAuthentication.HashPasswordForStoringInConfigFile. You can find examples about
how to use this function in MSDN and in a number of other articles, such as the ones at http://
www.stardeveloper.com/articles/display.html?article=2003062001&page=1 or http://
www.c-sharpcorner.com/Code/2003/Feb/HashPassword.asp.Alternatively, you can even hash your password online on a site such as http://aspnetresources.
com/tools/pwdhash.aspx. For example, the hash value of the password “admin” using the SHA-1 algorithm is
D033E22AE348AEB5660FC2140AEC35850C4DA997. In the following example, you’ll simply store this hash
value in web.config.
