The company I work for has taken on a support contract for a large order processing system. As part of the initial system audit I noticed that the passwords stored in the database were actually the hashcode of the password.
Essentially:
string pwd = 'some pasword'; string securePwd = pwd.GetHashCode(); My question is, how secure or otherwise is this?
I’m not comfortable with it, but I don’t know enough about how GetHashCode works. I would prefer to use something like an MD5 hash, but if I’m wasting my time then I won’t bother.
GetHashCodereturns a 32 bit integer as the hash value. Considering the birthday paradox, it’s not a long enough hash value due to the relatively high probability of collisions, even if it were explicitly designed to be collision resistant, which is not.You should go for SHA256 or another cryptographically secure hash function designed to handle such a task.
To store passwords, just using a simple hash function is not enough. You should add some random ‘salt’ per user and iterate enough times so that it would be computationally expensive to brute force. Therefore, you should use something like bcrypt, scrypt, PBKDF2, with a large number of iterations.