AdventureWorks2012 DB - how the password was stored and how the password validated?

问题

I got AdventureWorks2012 DB from http://msftdbprodsamples.codeplex.com/releases/view/55330 and trying to ValidatePassword from Person.Password table. 'PasswordHash' column description says "Password for the e-mail account." and 'PasswordSalt' column description says "Random value concatenated with the password string before the password is hashed."

Here are the sample data from the DB:

BusinessEntityID, PasswordHash, PasswordSalt, EmailAddress
---------------- --------------------------------------------------------------------------
1, pbFwXWE99vobT6g+vPWFy93NtUU/orrIWafF01hccfM=, bE3XiWw=, ken0@adventure-works.com

2, bawRVNrZQYQ05qF05Gz6VLilnviZmrqBReTTAGAudm0=, "EjJaC3U=, terri0@adventure-works.com

How do I know which hash algorithm is used to create the PasswordHash? And how passwordsalt was generated?

Here is the code attempt to validate the password but none of the hash algorithm is working. Can anyone please shed some light on this?

public class SecurityService : ISecurityService
    {
        public string UserName { get; set; }

        public bool ValidateCredentials(string password, Password dbPassword)
        {
            bool valid = false;

            byte[] saltBytes = Convert.FromBase64String(dbPassword.PasswordSalt); //dbPassword.PasswordSalt: bE3XiWw=
            byte[] passwordBytes = Encoding.Unicode.GetBytes(password); //password: ken0@adventure-works.com
            byte[] passwordHashBytes = Convert.FromBase64String(dbPassword.PasswordHash);//dbPassword.PasswordHash: pbFwXWE99vobT6g+vPWFy93NtUU/orrIWafF01hccfM=
            byte[] passwordHashed    = Hash(passwordBytes, saltBytes);
            byte[] dbPasswordHashed  = Hash(passwordHashBytes, saltBytes);

            valid = dbPasswordHashed.SequenceEqual(passwordHashed);

            return valid;

        }

        private static byte[] Hash(byte[] value, byte[] salt)
        {
            byte[] saltedValue = value.Concat(salt).ToArray();
            return HashAlgorithm.Create("MD5").ComputeHash(saltedValue);
            //return HashAlgorithm.Create("SHA1").ComputeHash(saltedValue);
            //return HashAlgorithm.Create("SHA256").ComputeHash(saltedValue);
            //return HashAlgorithm.Create("SHA384").ComputeHash(saltedValue);
            //return HashAlgorithm.Create("SHA512").ComputeHash(saltedValue);  
        }
    }

回答1:

If you replace valid = dbPasswordHashed.SequenceEqual(passwordHashed); with valid = passwordHashBytes.SequenceEqual(passwordHashed);

it will give correct results.

来源：https://stackoverflow.com/questions/24815872/adventureworks2012-db-how-the-password-was-stored-and-how-the-password-validat