HASHBYTES

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 717408

    Comments posted to this topic are about the item HASHBYTES

  • Henrico Bekker

    One Orange Chip

    Points: 27652

    Good one thanks.

    -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    This thing is addressing problems that dont exist. Its solution-ism at its worst. We are dumbing down machines that are inherently superior. - Gilfoyle

  • GPO

    SSCarpal Tunnel

    Points: 4556

    Add the sale string

    The SALE string? This confused me! 😛

    ...One of the symptoms of an approaching nervous breakdown is the belief that ones work is terribly important.... Bertrand Russell

  • Koen Verbeeck

    SSC Guru

    Points: 258955

    Good question, had to do a bit of research, but the MSDN link doesn't really back-up the explanation as it doesn't mention salt anywhere.

    edit: in this thread, an MVP does the suggestion of adding a salt to the string itself.

    http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/6002f5a4-19a0-4a11-a569-e112375d3efa/

    Need an answer? No, you need a question
    My blog at https://sqlkover.com.
    MCSE Business Intelligence - Microsoft Data Platform MVP

  • Michael Riemer

    SSCertifiable

    Points: 5013

    Have to agree that the SALE string confused me too. Otherwise it was a fairly simple question - Thanks

  • This was removed by the editor as SPAM

  • M&M

    SSC-Insane

    Points: 21697

    No idea about this really. I guessed it and got it wrong 🙂

    M&M

  • Raghavendra Mudugal

    SSChampion

    Points: 10658

    For me this question did not made any sense.

    the sample code is just concatenating another variable to it, you can name it @salt to @sugar... still the sample code will not make sense to me.

    And in your question, you say as SALT parameter, HASHBYTES does not has any salt parameter, you are just concatenating a variable (declares as salt) - which does not makes as parameter to it.

    if you just use this, it gives different results

    select hashbytes ('SHA1', 'FIRST')

    select hashbytes ('SHA1', 'FIRST' + ' SECOND')

    in both cases INPUT value is different, so its obvious the HASH return string will be different. (its a known thing)

    My only concern is - question and it's answer does not really suites. I dont think SALT is tech word here in SQL, so it does not paints proper picture.

    ww; Raghu
    --
    The first and the hardest SQL statement I have wrote- "select * from customers" - and I was happy and felt smart.

  • TomThomson

    SSC Guru

    Points: 104772

    Nice question.

    Stewart "Arturius" Campbell (2/9/2012)


    One would expect MS to allow an optional parameter for salt to the HASHBYTES function...

    Or maybe not - unless perhaps they also provided a parameter to indicate whether the salt should be prepended or appended; Steve's code does the latter, but that's pretty unusual because people who deal with cryptographic matters (like hashing and encryption and key management and secure login and...) are used to prepending a salt (because in front is the only place it's useful in the applications of CBC mode encryption that need a salt).

    Tom

  • michael.kaufmann

    SSCrazy

    Points: 2816

    Koen Verbeeck (2/9/2012)


    but the MSDN link doesn't really back-up the explanation as it doesn't mention salt anywhere.

    I'd second this; it's my understanding that concatenating a fixed string as salt (in Steve's example assigned to a variable) to another string can't be considered a salt parameter, which should be a random value (for increased security). The following query will return the exact same results as Steve's proposed solution in the 'Correct Answer' section of this QotD :cool::

    declare @t nvarchar(200)

    select @t = N'This is my string'

    select

    Hashbytes('SHA1', @t)

    , Hashbytes('SHA1', @T + N'R@nd0mS!a6lTValue')

    I'd say, no matter how many string parts are concatenated, the combined string qualifies as { @input | 'input' } following the HASHBYTES syntax.

    Interesting question, though.

    Thanks,

    Michael

  • Raghavendra Mudugal

    SSChampion

    Points: 10658

    0xB9A02E529093456D139C69FC5E5D4D825B7EC24B 0xCDE457DD8AB6C020E9852FE5B6953E02631A2CB2

    this is the output of your query, just wanted to know what you mean by "exact same results"....?

    ww; Raghu
    --
    The first and the hardest SQL statement I have wrote- "select * from customers" - and I was happy and felt smart.

  • KrishnaChaithanya

    SSC Journeyman

    Points: 89

    hearing for the first time about hashbytes.. good platform to learn new things...:cool:

  • ma-516002

    Hall of Fame

    Points: 3299

  • michael.kaufmann

    SSCrazy

    Points: 2816

    Raghavendra Mudugal (2/9/2012)


    0xB9A02E529093456D139C69FC5E5D4D825B7EC24B 0xCDE457DD8AB6C020E9852FE5B6953E02631A2CB2

    this is the output of your query, just wanted to know what you mean by "exact same results"....?

    The result is exactly the same as when running Steve's code (see the solution to the QotD in this thread).

    -Michael

  • michael.kaufmann

    SSCrazy

    Points: 2816

    From a coding perspective (having a random salt parameter), this URL to a post on stackoverflow.com has a nice twist to the matter.

    Cheers,

    Michael

Viewing 15 posts - 1 through 15 (of 65 total)

You must be logged in to reply to this topic. Login to reply