I'm trying to debug a problem we have with an in-house web app and saved passwords.  In doing so I've run into something of a roadblock.  I've read how IE7 saves passwords under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

Apparently the key name should be a SHA1 hash of the URL, and then the data is the encrypted login data.  What is throwing me is trying to verify the hashes.  If I take a simple URL and then have IE save my password at that site, I see a new key created.  I'd like to know exactly what string (URL) is used to generate this key.  When I take the URL and generate a hash in Linux (sha1sum), I get a 40 character hex string (20 bytes).  When I look in the registry, all of the entries in Storage2 are 42 characters (21 bytes).

I found a couple of references that said the first byte in the registry was some sort of checksum, but removing that still doesn't get me the right answer.

To further confuse matters, if I generate a sha1 sum on my linux box, I get a different hash than from several websites.  Clearly I am missing something.  For example:

#echo hello | sha1sum
f572d396fae9206628714fb2ce00f72e94f2258f  -

but when I visit several sites that claim to have hash generators, the string "hello" produces this value:
aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
(http://www.daveproxy.co.uk/tools/sha1_hash_generator.php)
(http://www.ideaspace.net/misc/hash/)
(http://pajhome.org.uk/crypt/md5/)

So what am I doing wrong?

Thanks, Brian

Ah, very good catch - thanks!

Now I just need to figure out how IE creates the hashes from URLs in the registry...