3

I have a method to create a hashed password. However it crashes at salt.CopyTo(pwd, 0); Says that the target byte[] is too small. How do I solve the problem?

public static byte[] CreateHashedPassword(string password, byte[] salt)
        {
            SHA1 sha1 = SHA1.Create();
            byte[] pwd = CustomHelpers.StringToByteArray(password);
            salt.CopyTo(pwd, 0);
            sha1.ComputeHash(pwd);

            return pwd;            
        }
Improve this question
2
  • 3
    Did you really intend to overwrite part of the bytes generated from the SHA of the password with the salt, or did you intend to insert the salt before those bytes? Commented Feb 24, 2010 at 22:03
  • My intentions are to add the salt to the beginning of the password, before hashing them together. Commented Feb 25, 2010 at 22:09

3 Answers 3

Reset to default
9

You need to create a longer byte array to contain both the salt and the password:

    byte[] result = new byte[salt.Length + password.Length];
    salt.CopyTo(result, 0);
    password.CopyTo(result, salt.Length);
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

It shouldn't be random, you need to know what it is to test passwords against the hashed and salted password.
Zach: It should be random, but you should keep a copy of it. But I've changed my answer now anyway as I realise what he was trying to do (insert the bytes at the start of the array).
From what I understand, it need not be random since the purpose of salt is to defeat rainbow table attacks. Even if the bad guys know what the salt is, they still have to manually calculate the hashes of the passwords.
If the salt is the same for each password you use, then you still haven't stopped a dictionary attack. The point of the salt is so that an attacker can only brute-force your password database one password at a time, instead of all at once.
Works like a charm, Mark. Thank you very much. And yes, my salts are random for each password. It's the safest way to do it.
1

Maybe something like this?

public static byte[] CreateHashedPassword(string password, byte[] salt) 
{ 
    SHA1 sha1 = SHA1.Create(); 
    byte[] pwd = CustomHelpers.StringToByteArray(password);
    byte[] pwdPlusSalt = new byte[salt.Length + pwd.Length];
    salt.CopyTo(pwdPlusSalt, 0); 
    pwd.CopyTo(pwdPlusSalt, salt.Length); 

    return sha1.ComputeHash(pwdPlusSalt);
}
Improve this answer

1 Comment

Thank you Jeffrey, this is exactly how my code looks like after adding what Mark suggested.
0

How big is the salt? Are you intending to add it to the password?

Here's how to add it to the start of the password:

byte[] pwdAndSalt = new byte[pwd.Length + salt.Length];
for (int i = 0; i < pwdAndSalt.Length; i++)
{
    if (i < salt.Length)
    {
        pwdAndSalt[i] = salt[i];
    }
    else
    {
        pwdAndSalt[i] = pwd[i - salt.Length];
    }
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.