Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12345»»»

HASHBYTES Expand / Collapse
Author
Message
Posted Wednesday, February 8, 2012 10:03 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 4:00 PM
Points: 31,181, Visits: 15,627
Comments posted to this topic are about the item HASHBYTES






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1249456
Posted Wednesday, February 8, 2012 10:13 PM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Thursday, August 28, 2014 2:39 AM
Points: 1,880, Visits: 2,846
Good one thanks.

----------------------------------------------
Msg 8134, Level 16, State 1, Line 1
Divide by zero error encountered.
Post #1249458
Posted Wednesday, February 8, 2012 11:55 PM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Saturday, October 11, 2014 8:18 PM
Points: 831, Visits: 1,588
Add the sale string


The SALE string? This confused me!




One of the symptoms of an approaching nervous breakdown is the belief that one's work is terribly important.
Bertrand Russell
Post #1249482
Posted Thursday, February 9, 2012 12:41 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: 2 days ago @ 11:42 AM
Points: 13,295, Visits: 11,086
Good question, had to do a bit of research, but the MSDN link doesn't really back-up the explanation as it doesn't mention salt anywhere.

edit: in this thread, an MVP does the suggestion of adding a salt to the string itself.
http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/6002f5a4-19a0-4a11-a569-e112375d3efa/




How to post forum questions.
Need an answer? No, you need a question.
What’s the deal with Excel & SSIS?

Member of LinkedIn. My blog at LessThanDot.

MCSA SQL Server 2012 - MCSE Business Intelligence
Post #1249510
Posted Thursday, February 9, 2012 12:45 AM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: 2 days ago @ 1:26 AM
Points: 1,812, Visits: 498
Have to agree that the SALE string confused me too. Otherwise it was a fairly simple question - Thanks
Post #1249511
Posted Thursday, February 9, 2012 1:25 AM


SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Yesterday @ 4:59 PM
Points: 4,023, Visits: 5,324
Thanks for the question, Steve.
took a fair bit of digging to find this.

One would expect MS to allow an optional parameter for salt to the HASHBYTES function...


____________________________________________
Space, the final frontier? not any more...
All limits henceforth are self-imposed.
“libera tute vulgaris ex”
Post #1249519
Posted Thursday, February 9, 2012 2:50 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Thursday, October 16, 2014 2:12 PM
Points: 2,278, Visits: 3,798
No idea about this really. I guessed it and got it wrong

Mohammed Moinudheen
Post #1249556
Posted Thursday, February 9, 2012 2:56 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Yesterday @ 11:23 AM
Points: 1,010, Visits: 2,306
For me this question did not made any sense.

the sample code is just concatenating another variable to it, you can name it @salt to @sugar... still the sample code will not make sense to me.

And in your question, you say as SALT parameter, HASHBYTES does not has any salt parameter, you are just concatenating a variable (declares as salt) - which does not makes as parameter to it.

if you just use this, it gives different results

select hashbytes ('SHA1', 'FIRST')
select hashbytes ('SHA1', 'FIRST' + ' SECOND')

in both cases INPUT value is different, so its obvious the HASH return string will be different. (its a known thing)

My only concern is - question and it's answer does not really suites. I dont think SALT is tech word here in SQL, so it does not paints proper picture.


ww; Raghu
--
The first and the hardest SQL statement I have wrote- "select * from customers" - and I was happy and felt smart.
Post #1249558
Posted Thursday, February 9, 2012 2:57 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 9:45 AM
Points: 7,804, Visits: 9,556
Nice question.

Stewart "Arturius" Campbell (2/9/2012)
One would expect MS to allow an optional parameter for salt to the HASHBYTES function...

Or maybe not - unless perhaps they also provided a parameter to indicate whether the salt should be prepended or appended; Steve's code does the latter, but that's pretty unusual because people who deal with cryptographic matters (like hashing and encryption and key management and secure login and...) are used to prepending a salt (because in front is the only place it's useful in the applications of CBC mode encryption that need a salt).


Tom
Post #1249559
Posted Thursday, February 9, 2012 3:38 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Tuesday, July 9, 2013 11:12 PM
Points: 1,263, Visits: 1,081
Koen Verbeeck (2/9/2012)
but the MSDN link doesn't really back-up the explanation as it doesn't mention salt anywhere.


I'd second this; it's my understanding that concatenating a fixed string as salt (in Steve's example assigned to a variable) to another string can't be considered a salt parameter, which should be a random value (for increased security). The following query will return the exact same results as Steve's proposed solution in the 'Correct Answer' section of this QotD :

declare @t nvarchar(200)

select @t = N'This is my string'

select
Hashbytes('SHA1', @t)
, Hashbytes('SHA1', @T + N'R@nd0mS!a6lTValue')

I'd say, no matter how many string parts are concatenated, the combined string qualifies as { @input | 'input' } following the HASHBYTES syntax.

Interesting question, though.
Thanks,
Michael
Post #1249587
« Prev Topic | Next Topic »

Add to briefcase 12345»»»

Permissions Expand / Collapse