Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Jan 11, 2012

How not to hash passwords in .NET

In connection with a bug in TransformTool, I've been looking into how text encoding is handled in the .NET framework. Turns out there are some caveats that can affect the correctness of a program, and when used in e.g. password validation they might turn out to be severe security issues.

This post assumes you are somewhat familiar with how character encodings work. You might want to check out my Introduction to character encoding if you're not. I wrote it mainly because I didn't want to explain the basics of encodings in this post.

The encoding issues/features I discuss here are all well documented in the article Character Encoding in the .NET Framework, but I believe that the issues aren't that well known. Stack overflow, blogs, and discussion forums are riddled with insecure code samples. Do a Google search for "ASCII.GetBytes" password, and you'll get a lot of results. I even found insecure code examples in a text book, the C# 2008 Programmer's Reference (page 344). So I definitely believe we need to raise awareness of these issues in the .NET community.

Encoding subtleties
In the MSDN article on character encoding you'll find that the first suggestion on how to use the encoding objects in .NET is: 
Use the static properties of the Encoding class, which return objects that represent the standard character encodings available in the .NET Framework (ASCII, UTF-7, UTF-8, UTF-16, and UTF-32). For example, the Encoding.Unicode property returns a UnicodeEncoding object. Each object uses replacement fallback to handle strings that it cannot encode and bytes that it cannot decode.
And people love to use the static properties! But if you don't read this carefully and pause with the "replacement fallback", you might get into trouble. "Replacement fallback" means that every character that cannot be encoded to bytes will be replaced with the "?" character silently. But what does that mean? Time for a demo using the ASCII encoding:

Oh my. What just happened here?
  1. First you see different strings I've chosen to demonstrate how "default" encoding works. Some strings contain characters that do not exist in the ASCII encoding.
  2. Next you see the output from System.Text.Encoding.ASCII.GetBytes(...), the strings have become bytes shown as hex. Hint: look at how the last three strings' bytes suddenly are identical after running them through GetBytes()!
  3. Just to underscore that hashing does not help here (identical bytes give identical hash values). Out of our five different input strings, three have the same hash value! 
  4. System.Text.Encoding.ASCII..GetString(...), to turn our byte tables back into String objects. If you compare the input strings and output strings, only one of them is unchanged.
If you read the documentation for e.g. the static ASCII encoding property, the results aren't very surprising: 
... might not have the appropriate behavior for your application. It uses replacement fallback to replace each string that it cannot encode and each byte that it cannot decode with a question mark ("?") character.
Still, this is often how people recommend you hash passwords. Read the docs people!

The MSDN article on character encodings is really good, so go read it. I've included the source code for the demo at the end of the post in case you want to try it yourself. I've also added a commented out Exception fallback example, try that out too.

This was bad. Now what?
Well, first I'll point out the implications here. If all your user's were to use ASCII characters only, this wouldn't be a problem. Ironically, as you add non-ASCII characters to passwords — supposedly making them "more secure" — you make them less secure since the non-ASCII characters become "wildcards." All you guys who are native English speakers have to keep in mind that there are more of us who aren't, so use UTF-8 in your code samples instead of ASCII. Then we can still use our classic Norwegian trick to make passwords "uncrackable" by adding a Norwegian letter to it: æ/ø/å.

So, while I've pointed out what could be a potentially serious security issue, it's probably not the end of the world. But you should move away from the ASCII-encoding if that's what you're using for your password hashing.

Building an authentication system based on passwords is not as straight forward as many might think, here's a couple of important challenges:
  • You need to avoid the problem I've outlined in this post, so you don't mess up the password before you're even started (it can be solved by using a Unicode encoding with the Exception Fallback).
  • You need to salt the passwords to avoid the problem of rainbow tables
  • You need to decide on how you want to compute the value you store in the database, should you use a plain SHA-256 transform, the PBKDF2 algoritm, bcrypt, or maybe scrypt? That decision directly affects the effectiveness of brute-force and dictionary attacks.
Fortunately, you don't have to solve these problems yourself, you can rely on others. There's for example a .NET membership provider that takes care of all of this, the SqlMembershipProvider. It uses the Unicode encoding to handle the passwords, and it also uses a unique 128-bit salt for each password. It used SHA-1 up til .NET 3.5, but SHA-256 was made the default hash function in .NET 4. If you're not familiar with any of the challenges I've listed above, you should go with the membership provider. If you're not a .NET developer, see if you can find a renowned library for your platform instead of implementing this yourself.

You'll find a detailed article by Troy Hunt on the issues with password hashing  in his OWASP top ten for .Net developers. And here's a definite take away:
..when it comes to security, the more stuff you can pull straight out of the .NET framework and avoid rolling yourself, the better. There’s just too much scope for error and unless you’re really confident with what you’re doing and have strong reasons why the membership provider can’t do the job, stick with it.

Anything else?
Well, yes. You might not always be making the decisions yourself for how encoding errors should be handled, so you need to keep an eye out for how others deal with these issues. As I've been writing this post there's been a relase of the AntiXSS library. One of the changes is that "Invalid Unicode no longer throws an exception", here's the details from the release notes:
Invalid Unicode characters are now replaced with the Unicode replacement character, U+FFFD (�). Previously, when encoding strings through HtmlEncode, HtmlAttributeEncode, XmlEncode, XmlAttributeEncode or CssEncode invalid Unicode characters would be detected and an exception thrown.
I'm not sure what the change is in lines of code, but I would guess that they emit the � explicitly after catching an error. The documentation is quite clear for the Unicode encodings:
To enable error detection and to make the class instance more secure, the application should use the UnicodeEncoding constructor that takes a throwOnInvalidBytes parameter, and set that parameter to true. With error detection, a method that detects an invalid sequence of characters or bytes throws a ArgumentException. Without error detection, no exception is thrown, and the invalid sequence is generally ignored.
I'll try to ping @blowdart and see if he'll write something about this on his blog. What it definitely does mean, is that if you output invalid unicode for some reason, it's probably only your users, and not you, who'll notice.  To detect errors you will have to search the output from the AntiXSS library for the �.

What the TransformTool bug looked like
Here's two screenshots from TransformTool, the first showing that non-ASCII characters are replaced with questionmarks.

And here's after my bugfix, using the Exception Fallback, where a System.Text.EncoderFallbackException is thrown:

The code
Here's the code for the console application. I've commented out the safe way to obtain an ASCII encoding. You can give the code a try to see the behaviour for yourself, switching between the safe and unsafe way of instantiating an ASCII encoding.

var exampleStrings = new String[] {

byte[][] ASCIIBytes = new byte[exampleStrings.Length][];

var ASCIIEncoding = System.Text.Encoding.ASCII;
//var ASCIIEncoding = System.Text.Encoding.GetEncoding("ASCII",
//    new EncoderExceptionFallback(),
//    new DecoderExceptionFallback());

Console.WriteLine("Strings to encode:");
Console.WriteLine("0: " + exampleStrings[0] + "      -> all ASCII chars");
Console.WriteLine("1: " + exampleStrings[1] + "      -> é is not a valid ASCII char");
Console.WriteLine("2: " + exampleStrings[2] + "      -> all questionmarks (valid ASCII)");
Console.WriteLine("3: " + exampleStrings[3] + "      -> all chars invalid ASCII");
Console.WriteLine("4: " + exampleStrings[4] + "      -> all chars invalid ASCII");

Console.WriteLine("Get bytes (ASCII encoding):");
int i = 0;
foreach (var s in exampleStrings)
    ASCIIBytes[i] = ASCIIEncoding.GetBytes(s);
    Console.WriteLine(i + ": " + BitConverter.ToString(ASCIIBytes[i]));


Console.WriteLine("Let's pretend they are passwords and hash them with SHA-1!");
i = 0;
using (var sha = SHA1CryptoServiceProvider.Create())
    foreach (byte[] bytes in ASCIIBytes)
        Console.WriteLine(i + ": " + BitConverter.ToString(sha.ComputeHash(b)));

Console.WriteLine("Uhm... Why are 2,3,4 identical?");

Console.WriteLine("Back to ASCII strings: ");
i = 0;
foreach (byte[] bytes in ASCIIBytes)
    Console.WriteLine(i++ + ": " + ASCIIEncoding.GetString(bytes));



  1. And here is an API for .NET to do it properly :)


  2. The information shared is very much helpful Thanks for sharing it
    Dot Net Training in Chennai

    1. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
      Cyber Security Projects for Final Year

      JavaScript Training in Chennai

      Project Centers in Chennai

      JavaScript Training in Chennai

  3. From this article you will get info about spy apps to catch a cheater.


    Promo Spesial Bonus Turnover Poker Online Untuk Semua Games
    (Berlaku Tanggal 01 s/d 28 Febuari 2018)

    *Turnover diatas 9.999.999 -> Bonus Chip Rp 10.000
    *Turnover diatas 24.999.999 -> Bonus Chip Rp 25.000
    *Turnover diatas 49.999.999 -> Bonus Chip Rp 50.000
    *Turnover diatas 99.999.999 -> Bonus Chip Rp 100.000
    *Turnover diatas 249.999.999 -> Bonus Chip Rp 250.000
    *Turnover diatas 499.999.999 -> Bonus Chip Rp 750.000
    *Turnover diatas 749.999.999 -> Bonus Chip Rp 1.125.000
    *Turnover diatas 999.999.999 -> Bonus Chip Rp 1.500.000
    *Turnover diatas 4.999.999.999 -> Bonus Ios Iphone 8


    Jika Live Chat Non Aktif Kamu Bisa Contact Kami

    Come & Join Us :

    -WhatsAPP : 087782869981
    -WeChat : s1288poker
    -Line : s1288poker
    -Twitter : @s1288poker
    -Facebook : @s1288poker
    -BBM : 7AC8D76B

  5. Partner Betting Terpercaya
    Perkenalkan kami dari website www.bolavita.pro
    kami menawarkan berbagai macam produk yang menarik dan menguntungkan tentunya.
    silakan mengunjungi website kami sekarang juga !
    WA : 0813-7705-5002 !

  6. Thank you for giving me valuable information that is something that I am very interested in.


  7. Ayan ayam Petarung terbaik se indonesia ^^

    sabung ayam peru

  8. Tonton Secara Live Video Adu Ayam Birma Di Bandar Judi Sabung Ayam BOLAVITA

  9. Web Ocean Design is the best IT services provider for complete mobile and web application development. The young development company based in Bihar, India, owned and managed by Vicky who have a good amount of experience in Information Technology, Management and other related fields. We provide technical and creative services ranging from Internet Marketing to Communication maneuver. We are also skilled in website development which includes brand promotion, web designing and software development.

    website design company in patna
    website development company in patna
    website development in patna

    web design company in patna
    web development company in patna
    website design in patna

    website design patna
    seo company in patna
    seo company in bihar

  10. Web Ocean Design is the best IT services provider for complete mobile and web application development. The young development company based in Bihar, India, owned and managed by Vicky who have a good amount of experience in Information Technology, Management and other related fields. We provide technical and creative services ranging from Internet Marketing to Communication maneuver. We are also skilled in website development which includes brand promotion, web designing and software development.

    best seo company in patna
    digital marketing company in patna
    best website design company in patna

    affordable seo service in patna
    website optimization in patna
    educational internet marketing company patna

    social media marketing company patna
    real estate seo company in patna
    ecommerce seo company patna

  11. a number of objects to the fractures and scratches and a lot of damage to furniture and electrical appliances, which makes it worse, you see your home like an old house, it may be difficult to repair many pieces of furniture .شركة نقل عفش

  12. Our declaration to providing the best customer experience when it comes to the best custom essay writing service are guided by these principles we entrench daily in our delivery for the best online essay writing service firm.

  13. One should know which company has the best writers whose essay is free from grammatical errors. Grammatical errors reduce the quality of a custom paper especially those who want to buy nursing papers online and those seeking for custom assignment services.

  14. Are you looking to buy Already Written Essays from the best writers? You are not alone. When given Custom Dissertation Services, many students look Best Essay Writing Company for help.

  15. Students seek professional Custom Papers Writing assistance from Top Rated Term Papers Writingcompany to accomplish any type of essay assigned to them. When you request for urgent Professional Custom Research Paper, they strive to meet your professors’ requirements.

  16. One unique characteristic of the firm's Custom Research Paper Services and College Paper Writing Services is that they offer the best market rates and actual research on all their Custom College Paper Writing Services.

  17. This helps me a lot. Thank you so much for sharing the post! The most common wired networks use cables connected at one end to an Ethernet port on the network router and at the other end to a computer or other device. You can find the tutorials to change its password on 192.168.l.l

  18. Nikmati Bonus Menarik Dari Bolavita Sekarang...
    -Nikmati Bous New member 10%
    -Nikmati Bonus Cashback Hingga 10%
    -Nikmati Juga Bonus jackpot Hingga Ratusan juta Rupiah Setiap harinya...

    Info Lengkap Hubungi:
    WA : 0812-2222-995
    Line : cs_bolavita
    Link : www.bolavita1.com


  19. Our team of Ethics Essay Writing Services is comprised of professionals who have experience in delivering Ethics Research Writing Services. The company also offers Online Essay Writing Services At affordable cost.

  20. Technology has changed our lives in every manner. There is a lot of pregnancy tracker app that can make yourself comfortable in this crucial time period of Pregnancy. The baby pregnancy tracker app has been expanding its feet in the IT industry.

  21. Techgropse is a well-known healthcare app development company that provides specialized healthcare applications and is one of the leading healthcare app development companies in the region. We aim to make healthcare applications accessible to all, with incredible solutions. With our highly skilled staff, we strive with healthcare leaders and providers to the flawless execution of the healthcare business.

  22. TechGropse is a one-stop service provider in the field of mobile app development. With its wide range of services and extensive portfolio, it is a popular choice for app development among its customers. The company has expanded its strength by putting exceptional efforts to bring the best to the market. It made several prestigious websites and institutions to recognize TechGropse as a leading app development company in the region. Talking of our versatile portfolio, the company has developed marijuana apps for a few of its clients with different objectives. Since the company has done a spectacular job in the healthcare app development, industry leaders prefer TechGropse as a top-rank and competent marijuana app development company.

  23. Android wearable apps are no longer only a way to display short notifications but also feature interfaces to entertain users and systematically track their health-related information.

  24. Organizations are using the Flutter framework to attain high revenues in a short period and go through the lucrative results in real-time. It takes a small amount of time to code UI designs after being saved to update the application itself. In general cases, the significant modifications allow the Flutter developers to reload the app.

  25. You’ve made some really good points there. It should reach to mass audience. You can take help from SEO Services company to boost the traffic.

  26. Nikmati Bonus Menarik Dari Bolavita Sekarang...
    -Nikmati Bous New member 10%
    -Nikmati Bonus Cashback Hingga 10%
    -Nikmati Juga Bonus jackpot Hingga Ratusan juta Rupiah Setiap harinya...

    Info Lengkap Hubungi:
    WA : 0812-2222-995
    Line : cs_bolavita
    Link : www.bolavita1.com


  27. Thanks for the post. It was very interesting and meaningful. I really appreciate it! Keep updating stuff like this.
    Data Science Course in Pune
    Python Classes in Pune

  28. Alasan Kenapa Kamu Harus Bermain Judi Di Museumbola
    * Permainan Lengkap dari A sampai Z
    * Opsi Deposit Banyak Seperti Bank, E-Cash , PULSA
    * Semua Rekening Bank termasuk Bank Daerah Bisa Di Daftarkan
    * Bonus Banyak
    * Deposit 2 Menit
    * Withdraw 5 Menit Paling Lama
    * Cs Professional 24 Jam Online

    Daftar Museumbola
    Link Alternatif Museumbola
    Judi Bola Online
    Slot pulsa tanpa potongan
    Demo Slot Habanero

  29. Baccarat | FEBCASINO
    Baccarat is a table 제왕카지노 game that is 메리트 카지노 쿠폰 considered to febcasino be a very entertaining game, and one that allows players to get involved with a lot of betting options. You can

  30. you can try this out from this source explanation read review check this link right here now top article

  31. จุดเด่นของ เกมสล็อตทดลองเล่นอย่าง ลึกซึ้ง ทำให้เกมของเรา มีคุณภาพทั้งเรื่อง กราฟิกสีสันของเกม ซึ่งทาง BETFLIX เสนอและสอนวิธีเล่น

  32. 뱃할맛이 나는곳 먹튀검증 안전한메이져

  33. تحتسب شركتنا الشركة الهندسية واحده من ابرز شركات الماكينات والالات المتخصصة في تصنيع البلاستيك فبامتلاكنا لمجموعة من ماكينات تصنيع البلاستيك تصدرنا السوق بقوة كبيره.

  34. When it comes to on line casino games, blackjack is one of the|is amongst the|is probably certainly one of the} hottest decisions. Let it Ride additionally be|can be} a well-liked recreation, but it's usually only present in larger casinos like Turning Stone. Blackjack is well-liked end result of|as a outcome of} it is a comparatively easy recreation to learn and there is be} a|and there's a} high diploma of ability involved. Roulette and craps are each games of chance, but they offer a high diploma of 카지노사이트 pleasure.


Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts