Are HMACSHA256 hashes transferable from one server to another?
https://stackoverflow.com/questions/7129067
-
08-01-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
If I use HMACSHA256.ComputeHash in my password encoding scheme and generate password hashes on one server then later need to migrate to a different server, will my hashes still encode the same? I recall seeing something about machineKey settings being involved in cryptography operations, but I'm not entirely familiar.
Solution
Whether or not they will still encode the same depends on how you create the HMACSHA256 object. It will use whatever key you instantiate it with to do the hashes or, if you don't specify a key, it will generate a random key. As long as you pass it the same key, it will generate the same hashes.
OTHER TIPS
HMAC computes a hash from a secret and the data you want to authenticate. In order for two servers to compute the same HMAC they'll have to share the secret, which possibly makes it not that secret. In order too be able to verify old password the secret will need either to be fixed or to be somehow referenced along the stored password if it can changes, making it practically a salt.
Using HMAC in a password storage setting is pretty odd, it's not a proper password derivation function (way too fast, not memory intensive enough) and the secret don't bring much value if any, seeing it must be fixed (unlike proper HMAC usage where the secret is agreed upon by the communicating parties for a session and forgotten about after).
