## GUID guide, part three

Let’s recap: a GUID is a 128 bit integer that is used as a globally unique identifier. GUIDs are not a security system; they do not guarantee uniqueness in a world where hostile parties are deliberately attempting to cause collisions; rather, they provide a cheap and easy way for mutually benign parties to generate identifiers…

## What’s the difference? Remainder vs Modulus

Today, another episode of my ongoing series “What’s the difference?” Today, what’s the difference between a remainder and a modulus, and which, if either, does the % operator represent in C#? A powerful idea that you see come up in mathematics and computer programming over and over again is the idea of an equivalence relation….

## The curious property revealed

Today is the fifteenth anniversary of my first day of full time work here at Microsoft. Hard to believe it has been a decade and a half of writing developer tools. I am tremendously fortunate to be able to work with such a great team on such a great toolset for such great customers. I’m…

Here’s a common problem that we face in the compiler realm all the time: you want to make an efficient immutable lookup table for mapping names to “symbols”. This is in a sense the primary problem that the compiler has to solve; someone says “x = y + z;” and we have to figure out…

## Guidelines and rules for GetHashCode

“The code is more what you’d call guidelines than actual rules” – truer words were never spoken. It’s important when writing code to understand what are vague “guidelines” that should be followed but can be broken or fudged, and what are crisp “rules” that have serious negative consequences for correctness and robustness. I often get…

## Socks, birthdays and hash collisions

Suppose you’ve got a huge mixed-up pile of white, black, green and red socks, with roughly equal numbers of each. You randomly choose two of them. What is the probability that they are a matched pair? There are sixteen ways of choosing a pair of socks: WW, WB, WG, WR, BW, BB, … Of those…

## Do not use string hashes for security purposes

A recent question I got about the .NET CLR’s hashing algorithm for strings is apropos of our discussion from January on using salted hashes for security purposes. The question was basically “my database of password hashes doesn’t seem to work with .NET v2.0, what’s up with that?” To make a long story short, the answer…

## You Want Salt With That? Part Two: We Need A Hash

OK, we want to sketch out an authentication system which is sufficiently secure against common attacks even if all the details of the system are known to the attacker.  Let’s start with a simple system, take a look at what its vulnerabilities are, and see if we can mitigate them: System #1 The client transmits…