.net - Hash on Unicode Password -


i'm writing password salt/hash procedure .net application, largely following guide of article: http://www.aspheute.com/english/20040105.asp

basically code computing salted hash this:

public string computesaltedhash(string password, byte[] salt) {      // password ascii text bytes:     byte[] passwordbytes = system.text.encoding.ascii.getbytes(password);      // append 2 arrays     byte[] tohash = new byte[passwordbytes.length + salt.length];     array.copy(passwordbytes, 0, tohash, 0, passwordbytes.length);     array.copy(salt, 0, tohash, passwordbytes.length, salt.length);      byte[] computedhash = sha1.create().computehash(tohash);      // return ascii string     return system.text.encoding.ascii.getstring(computedhash); } 

however, want allow allow users use unicode chars in password, if like. (this seems idea; can think of reason it's not?)

however, don't know ton how unicode works, , i'm worried if change both references of system.text.encoding.ascii system.text.encoding.unicode, hash algorithm might produce byte combinations don't form valid unicode chars , getstring call freak out.

is valid concern, or ok?

you shouldn't using any normal encoding convert arbitrary binary data string. it's not encoded text - it's sequence of bytes. don't try interpret if "normal" text. whether original password contains non-ascii characters irrelevant - current code broken. (i treat linked article large dose of suspicion on basis.)

i suggest:

  • use encoding.utf8 bytes password. allow password contain unicode character. encoding.unicode fine here too.
  • use convert.tobase64string convert computed hash text. base64 designed represent opaque binary data in text within ascii character set.

Comments

Popular posts from this blog

SAP Web Service from .NET via WCF -

Optimized Line drawing in QT -

datetime - str to time in python -