Geek Answers Handbook

Get back value from hash?

Am I trying to return a string from its hash value?

string str="Hello"; int hashStr=str.GetHashCode(); // hash value of "Hello" is -694847

can I return my_string (ie "Hello") from the hashed value ....?

UPDATED

Actually, I am going to save the password in my database after hashing to make it secure ...

Does this mean that the other password has the same value?

+4
source share
9 answers

There are exactly 2 ^ 32 many hash codes, but the path, the path is greater than string s. Thus, according to the principle of pigmentation principle, there should be multiple mapping of string to the same hash code. Therefore, reverse mapping the hash code to string not possible

Edit: The response to your update.

Actually, I am going to save the password in my database after hashing to make it secure ...

Does this mean that the other password has the same value?

Yes, two passwords can have the same hash. This is basically a repetition of the foregoing. But you should not use GetHashCode for password hashing. Instead, use something safe such as SHA-2 .

To take another step, never try to collapse your own encryption / security, etc. Find a library that does this for you.

+16
source

Actually, I am going to save the password in my database after hashing to make it secure.

You are not competent to implement this code.

That nothing was bad. I am not competent either, and I have been studying security systems for years. Studying security systems, I learned that security systems are insanely difficult to make the right choice, require many years of experience and detailed expertise of a complex domain. This is how I know that I am not competent. The fact that you think that hashes can be reversible indicates that you are not a security professional.

My advice: hire a security professional to complete this task for you . It makes no sense to spend good money on creating a bad security system that does not actually protect your resources. Instead of shifting your own cheap system now and spending a lot more money on cleaning up the disaster later, spend a little more time and get a professional implementation.

In addition, the documentation for GetHashCode states that this is not suitable for password hashing, as the algorithm can be changed at any time . In fact, the hash algorithm changed between CLR v1 and CLR v2 and broke down each individual provider that relied on GetHashCode for the password hash that updated its system. GetHashCode is unstable, it is not protected, it is not cryptographic and is not based on any standard standard algorithm. NOT SUITABLE FOR ANY CIRCUMSTANCES USING IT FOR Crypto Hashing.

+7
source

One answer that is missing here explains to OP that hashing is not encryption. The terms hashing and cryptography are often confusing for younger programmers (including me at one point) who need to deal with security for the first time.

  • From Wikipedia : a hash function is any well-defined procedure or mathematical function that converts large, possibly variable-sized data to a small reference point, usually a single integer that can serve as an index for an array (see associative array). The values ​​returned by the hash function are called hash values, hash codes, hash amounts, checksums, or simply hashes.
  • From Wikipedia : Encryption is the process of converting information (called plaintext) using an algorithm (called a cipher) to make it unreadable by anyone other than those with special knowledge, usually called a key.

Edit to update:

  • Yes. Although it is unlikely and highly dependent on the type of hash algorithm, hashing two or more different pieces of data can produce the same value.
  • Password hashing is often used to protect passwords in a database. But you cannot use hashed passwords. If you want to use them, you must evaluate the hash values ​​to make sure they match. Here is an ASP-specific strategy for hashing passwords. Here is a good read , especially if you work with web technologies.
+5
source

Something that was not mentioned here, you must salt your hashes .. yum yum.

What salt / does.

Suppose you get someone else's database full of hashed passwords. If they had hashed without salt, then cracking passwords would be as simple as loading a large pre-hashed dataset from shit strings.

If the hash from one line matches, then you have a good chance to find out the password. Even if this is not the correct password, you can log in with it, since it gives the same hash.

Here you can poke your hashes. If you add salt (aka a predefined random string) to a password before hashing it, then you cannot just pre-hash a ton of lines

Example. No Salt: Password: ABCD is hashed at 1234EFG A large list of previously hashed strings hash hash 1234EFG, may or may not be ABCD, but it will still work.

With salt: Password: ABCD concat 0315927429 hashes in 43BCF1 Each password has a different salt, so you cannot use one hash lookup table for the pre-computer, you will need to recalculate the hashes for each password.

Recalculation will be incredibly time-consuming. Now salt does not have to be securely stored in order to add a lot of this benefit. Even if you store salt in one table, it would be incredibly difficult if someone did a hash search to try to reset one person’s password.

Another respondent: “One of the answers that is missing here explains to OP that hashing is not encryption.”

Hashes sometimes refer to "one-way encryption." This description is bad and adds to the confusion you were talking about.

+1
source

As others have said, in the general case, you cannot do this because the hash string is not a one-to-one function; infinite number of lines, but only 2 ^ 32 ~ 4 billion hashes. However, you can do a dictionary attack against a failed hash. Get a cluster of computers to calculate hashes for a wide range of likely lines (like dictionary words) and find the hash that matches.

0
source

Short answer to your question: None . A hash is just one way.

If you want to protect your password, as you said in the update, hash it with a hash algorithm (MD5, SHA1, ...) then stored in the database. If you want to verify the password provided by the user, just use it and compare it with the hash stored in the database.

0
source

Actually I am going to save the password in my database after hashing to make it safe ...

So, does this mean that other passwords even have the same value?

  • GetHashCode not a cryptographic hash function , so this is not suitable for this purpose.

  • Yes, different passwords will have the same meaning. However, this still makes user passwords more secure, although this can be done securely on the client side rather than server side to improve security. The purpose of hashing passwords before saving them is to make sure that your database * cannot be used to determine user passwords. The user can still use the hashes stuck in your database as your users, but knowing the user's password is actually more valuable since a good chunk of your users will use the same passwords everywhere.

* There are other similar attacks that protect against such human-in-the-middle attacks, but in general this is due to the fact that you do not store the user's password in your database in plain text.

0
source

Do not use GetHashCode () to hash the password. This is not a cryptographic hash, but the result is too short. GetHashCode is intended for use in HashTables and similar structures. GetHashCode (), which returns a constant value, is valid (but greatly slows down hashtables).

There are several pitfalls for password hashing:

  • Use salt so that an attacker cannot use rainbowtables (or similar preliminary calculation attacks).
  • Use many iterations to slow down bruteforce attacks.
  • Use cryptographic hash function

It’s best not to run it yourself, but instead use a standard key derivation function (KDF) such as PBKDF2.

The .net structure contains classes for this:

To check the correctness of the entered password, you do not decrypt the saved password (which is not possible), but you enter the entered password with the same salt as the original password, and then compare the hash.

0
source

You cannot return a value from a hashed value, but what you can do (and this is what is done on almost every website that stores hashed passwords) is to compare the hash of the password just entered with the hash you saved.

And about your second question, it is true that there can be more than one text to correspond to one hash, but it does not look like a hello hash equal to a goodbye hash. It looks more like a hello hash, equal to the hash of "sdd89sfu7w84haushf9478hfsklehf84hfwuhf ...".

0
source

More articles:


All Articles