Compare SHA2_512 C# and SQL Server

Question

I want to compare password when user logins from ASP.NET Site to One I generated for him in SQL Server.

So, I generate password field in SQL server like this:

insert into users 
select 'username',  HASHBYTES('SHA2_512', CONVERT(nvarchar(4000),'password'))

And code in C#:

string text = Password;
            SHA512 alg = SHA512.Create();
            byte[] result = alg.ComputeHash(Encoding.UTF8.GetBytes(text));
            string hash = Encoding.UTF8.GetString(result);

And those two hashes are very different.

Where am I wrong?

SHA 512 is too fast for passwords. Use salted bcrypt. – SLaks May 26 '13 at 21:12 — SLaks, May 26 '13 at 21:12
Hash results are not valid UTF8. Use Base64. – SLaks May 26 '13 at 21:13 — SLaks, May 26 '13 at 21:13

score 1 · Answer 1 · edited May 23 '17 at 11:43

1

NVARCHAR is a 16-bit encoding — most likely little-endian UTF-16. HASHBYTES is therefore probably seeing a different input to ComputeHash.

Try Encoding.Unicode.

Also, don't use Encoding to convert result to a string. It contains raw bytes, not encodings of characters. If you want a string, convert the bytes to hex digits or Base64.

edited May 23 '17 at 11:43

Community

1
1

answered May 26 '13 at 21:11

Marcelo Cantos

181,030
38
327
365

Compare SHA2_512 C# and SQL Server

1 Answers1