MD5 or SHA1 hashing - the easy way

This is a typical example of a static method which IMHO is in the wrong namespace.

If you're looking to use an MD5 or SHA1 hashing algorithm to hash passwords, a lot of people would start looking in the System.Security.Cryptography namespace. But the System.Web.Security namespace offers us the FormsAuthentication.HashPasswordForStoringInConfigFile() static method:

string pwhash = FormsAuthentication.HashPasswordForStoringInConfigFile(password, "md5");

The second parameter can be either "md5" or "sha1".

As far as I'm concerned, simple hashing and enrypt and decryption methods (static) should've been in System.Security.Cryptography in the first place.

What do you think?

15 Comments

  • That's where I first went looking for it way back when.

  • I agree that there should be some 'easy' helper methods in all the namespaces. I'm a lot less encouraged to arbitrarily add System.Web references just for that one method though ;-)

  • I agree Eric. I don't fancy including System.Web for WinForms apps or libraries either. At the same time, I think that emphasizes the point that these kind of methods belong in a different namespace.



    Similar thing goes for System.Web.Caching. It can be used in WinForms apps - so why not shove it in something like System.Caching instead?

  • But hashing is simple:



    Encoding encoder = new UTF8Encoding();

    SHA1 sha = new SHA1Managed();

    byte[] passwordHash = sha.ComputeHash(encoder.GetBytes(password));



    This gives you bytes, which is what a hash is. The forms authentication method BinHexes the bytes into a string, which is ok for human readable files but a waste when your password hashes are in a database, where they should be stored as binary(20) or binary(16) depending on which hash you're using.

  • Jerry - sure, you can even do it in one line of code. This is how simple it is:



    string passwordHash = System.Text.UTF8Encoding.UTF8.GetString(new SHA1Managed().ComputeHash(new System.Text.UTF8Encoding().GetBytes("mypassword")));



    That however was not my point. It'd be far easier to have a few static methods for hashing and or encryption/decryption with several overloads for either basic strings or byte arrays.



    It would've been useful if some static hash methods like the following existed:



    static bytes[] SHA1.Computate(byte[] bytes);

    static string MD5.Computate(string phrase);



    etc...



    My other point was that the MD5 hash function HashPasswordForStoringInConfigFile() is in the wrong namespace.

  • I see your points, and I agree with the namespace, forms authentication is not limited to web apps.



    As for having string MD5.ComputeHash(string) - the problem is that the result of a hash is a sequence of bytes. So what should a string representation be? BinHex? UUEncode? Base-64? A comma separated list of byte values? There is no default implicit string representation of a byte array. Same applies to the input, should the string be taken as sequence of bytes in UTF-8? UTF-16? UCS-2? 7-bit ASCII (ignoring Unicode characters altogether)?

  • Jerry,



    The input string should be Unicode, UTF-16 and the output Base64. As far as I know that's pretty much the standard for checksum hashes.



    Besides, like I mentioned before, you'd have a few overloaded static methods for different kinds of inputs and outputs including which type of encoding, when using strings.

  • how can we decode hash

  • Amity,



    Hashes cannot be decoded. They are a one way checksum over a piece of data.

  • but is not it good enough if you are using in in web application......

  • it works, i was asked to hash data, i did using the
    'System.Security.Cryptogr..' method, but final data is not the same as expected result BUT thanks to you, this method works SPOT on!.

    so thanks, you made a different and your post really helped.

  • Sweet post, worked for a unique problem I was having!

  • easiest way for encoding is
    TextBox2.Text = FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox1.Text, DropDownList1.SelectedItem.ToString ());

    how to get viceversa....

  • Please note that HashPasswordForStoringInConfigFile is obsolete these days.

  • that the air compressors that we use at home are the high powered
    ones, we also use it for cleaning,.

Comments have been disabled for this content.