5

For some reason this doesn't make sense to me. How is an empty string hashed when there are no chars in the string to hash?

What I'm talking about would look like this:

System.Web.Helpers.Crypto.HashPassword(string.Empty);

How is this possible?

Improve this question
3
  • In general, hash functions process data by updating some internal state. If there is no data to process, then the final state is the same as the initial state. Commented Jan 3, 2014 at 23:17
  • How can string.empty.length be calculated if there are no characters to count? Commented Jan 4, 2014 at 0:45
  • In this case short strings (including the empty string) will simply be padded with 0x00 bytes until it's 64 bytes long, and then it gets hashed. Commented Jan 4, 2014 at 23:26

1 Answer 1

Reset to default
7

From the MSDN:

The password hash is generated with the RFC 2898 algorithm using a 128-bit salt, a 256-bit subkey, and 1000 iterations. The format of the generated hash bytestream is {0x00, salt, subkey}, which is base-64 encoded before it is returned.

First you need to understand how RFC 2898 works. In a nutshell it combines the salt with the passed in password, hashes it a number of times, and produces a bytestream that you can read out as many bytes as you want.

Using the above quoted documentation we see that it picks a random salt that is 128 bits large, uses 1000 hashes, and pulls 256 bits out of the stream at the end.

So we can get chars out because RFC 2898 allows you to take as many bytes as you want to from the output of the function, it is not a fixed output. We also get a different output if we call Crypto.HashPassword(string.Empty); twice because it chooses a new random salt every time we call the function.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Also note that hash functions are still defined on empty input. For example, you can hash a zero-byte file or zero-length string, and they should give you the same output.
Most hash functions operate on blocks of data, incomplete blocks will be often padded with sets of 0 byte values to go to the next larger block size. However see the specification for whatever hash you are interested in for the exact procedure, the above is just the general "what most of them do" guideline.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.