Hash Functions (Ultibo)

Think you found a bug? Report it here.
Koen
Posts: 29
Joined: Sat Apr 29, 2017 10:41 am

Hash Functions (Ultibo)

Postby Koen » Fri Jun 15, 2018 8:56 pm

In the Ultibo unit (ultibo/core/fpc/source/rtl/ultibo/core/ultibo.pas) I found
at line 5907
function GenerateNameHash(const Name:String;Size:Integer):LongWord;
{Note: Case Insensitive Hash}

and at line 5936
function GeneratePasswordHash(const Password:String):LongWord;
{Note: Case Sensitive Hash}

wich has as second line
WorkBuffer:=Uppercase(Password);

Should it not be switched?
I think the Uppercase function makes GeneratePasswordHash "Case Insensitive".
User avatar
Ultibo
Site Admin
Posts: 1974
Joined: Sat Dec 19, 2015 3:49 am
Location: Australia

Re: Hash Functions (Ultibo)

Postby Ultibo » Sat Jun 16, 2018 11:08 am

Koen wrote:Should it not be switched?
I think the Uppercase function makes GeneratePasswordHash "Case Insensitive".

Yes I think you are correct. The GenerateNameHash function does a very simple uppercase conversion (by subtracting decimal 32 from the character value) whereas the GeneratePasswordHash does the same be callng Uppercase, the result seems to be the same in both cases.

While GenerateNameHash is used in many places throughout Ultibo (like linked lists, file system entries etc) as far as I can see GeneratePasswordHash is not used anywhere. I suspect that the last time we used that function the case sensitivity of passwords might have been a problem for users so it got changed to case insensitive and the comment was never updated.

As of now I wouldn't use that function anymore for generating a secure password hash, instead I would look at the standardized hash functions in the Crypto unit (eg SHA1, SHA256, SHA512 etc) which produce much more reliable results. The hash algorithm used for GenerateNameHash is intended to be simple (and fast) and produce a reasonably good distribution of hash values over a range of input strings, we didn't invent the algorithm as it came from a well known source (which I cannot recall right now).

What we might do is deprecate the GeneratePasswordHash function because the name is misleading and replace it with something like FastStringHash and allow the choice of case sensitive or insensitive results.

Thanks for pointing this out.
Ultibo.org | Make something amazing
https://ultibo.org

Return to “Bug reports”

Who is online

Users browsing this forum: No registered users and 0 guests