Password Encryptor/Decryptor for ASP 3.0?

[M P]

Hi!

Im planning to encrypt the password that was stored on msaccess database and
also the text inputed from a password textbox. Also, if I want to get the
password from the database, I need to decrypt it so it can be comparable to
the one that is inputed on the textbox. Is there a way on how to handle
this?

MP

 

[Evertjan.]

M P wrote on 14 okt 2005 in microsoft.public.inetserver.asp.general:

Also, if I want to get the
password from the database, I need to decrypt it

Not the only way.
You also could,
if the encription proces is unique [=gives always the same result],
compare both encripted forms.

 

[Gottfried Mayer]

Hi!

Im planning to encrypt the password that was stored on msaccess database and
also the text inputed from a password textbox. Also, if I want to get the
password from the database, I need to decrypt it so it can be comparable to
the one that is inputed on the textbox. Is there a way on how to handle
this?

MP

Hi M P,

To store passwords, the one-way or "hash" algorhythms will be the most
useful to use:
As the name says, this is a one-way procedure, for example:

Password: mysecretpass
Hash (example): 28F9E2A118B3 <== Store this in DB

User inputs: mysecretpass
Calculate Hash: 28F9E2A118B3
Compare this to value stored in DB.


There are several different hash algorhythms around, the most commonly
used is called MD5:
http://www.aspfaq.com/show.asp?id=2397

The first example on this page is a implementation in JavaScript, this
ensures that the password is encrypted on the client computer and
submitted in the encrypted form.


HTH
Gottfried

 

[M P]

Hi!

Thanks for the reply. My question is how do I handle this MD5 algorithm? For
example, I have a login page, how do I use the javascript?

regards,
Me

 

[Roland Hall]

in message : Thanks for the reply. My question is how do I handle this MD5 algorithm?
For
: example, I have a login page, how do I use the javascript?

Please respond after responses, not before them.

You don't use javascript to do this. You do it on the server-side. If you
need a MD5 function already written to work in ASP, then go here:
http://www.frez.co.uk/freecode.htm#md5

The function is md5. I call it with:
eStr = md5(str)

I put it in it's own file and I include it into any page I need. A starter
example...

<%@ Langauge = "VBScript" %>
<%
Option Explicit
Response.Buffer = True
%>
<!--#include virtual="/asp/nocache.asp"-->
<!--#include virtual="/asp/md5.asp"-->
<%
dim username, password, ePassword, method
method = Request.ServerVariables("REQUEST_METHOD")
if method = "POST" then ' form has been posted
username = Server.HTMLEncode(Replace(Request.Form("username"),"'","''"))
password = Server.HTMLEncode(Replace(Request.Form("password"),"'","''"))
' form validation
' get password from database if username exists
ePassword = md5(password)
if ePassword = cPassword then
' write to log
' validate logon
session("user") = username
' redirect to welcome
else
' report error to user
' write to log
' redirect to logon
end if
end if
%>
<!-- display logon form -->

My nocache.asp page:

<%
with Response
.Expires = -1
.ExpiresAbsolute = Now() - 1
.AddHeader "pragma", "no-cache"
.AddHeader "cache-control", "private"
.CacheControl = "no-cache"
end with
%>

HTH...

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Gottfried Mayer]

in message : Thanks for the reply. My question is how do I handle this MD5 algorithm?
For
: example, I have a login page, how do I use the javascript?

Please respond after responses, not before them.

You don't use javascript to do this. You do it on the server-side. If you
need a MD5 function already written to work in ASP, then go here:
http://www.frez.co.uk/freecode.htm#md5

The function is md5. I call it with:
eStr = md5(str)

I put it in it's own file and I include it into any page I need. A starter
example...

<%@ Langauge = "VBScript" %>
<%
Option Explicit
Response.Buffer = True
%>
<!--#include virtual="/asp/nocache.asp"-->
<!--#include virtual="/asp/md5.asp"-->
<%
dim username, password, ePassword, method
method = Request.ServerVariables("REQUEST_METHOD")
if method = "POST" then ' form has been posted
username = Server.HTMLEncode(Replace(Request.Form("username"),"'","''"))
password = Server.HTMLEncode(Replace(Request.Form("password"),"'","''"))
' form validation
' get password from database if username exists
ePassword = md5(password)
if ePassword = cPassword then
' write to log
' validate logon
session("user") = username
' redirect to welcome
else
' report error to user
' write to log
' redirect to logon
end if
end if
%>
<!-- display logon form -->

My nocache.asp page:

<%
with Response
.Expires = -1
.ExpiresAbsolute = Now() - 1
.AddHeader "pragma", "no-cache"
.AddHeader "cache-control", "private"
.CacheControl = "no-cache"
end with
%>

HTH...

Although it seems easier to put this all in one place, you might want to
consider this:

If you do the encryption all server-side, every client will send his/her
password as plain-text over the internet.

In my opinion (and for security reasons), I would use a client-side
(JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the
internet. (or use SSL to encrypt the whole data transfer between client
and server)


just my 2 cents
Gottfried

 

[Gottfried Mayer]

Hi!

Thanks for the reply. My question is how do I handle this MD5 algorithm? For
example, I have a login page, how do I use the javascript?

regards,
Me

Hi M P,

You can read about the JavaScript implementation on this page:
http://pajhome.org.uk/crypt/md5/auth.html
(it even has a very interesting challange-response example to enhance
security further)


But basically, it works like this:

download md5.js, put it in your web dir.

load the JavaScript into the Login page:
<script src="md5.js" type="text/javascript"></script>

insert the md5 calculation in the onSubmit trigger of your login form:

example login form:
<form onSubmit="pw.value = hex_md5(pw.value);" name="loginform"
action="login.asp" method="post">
User: <input type="text" name="un"><br>
Pass: <input type="password" name="pw"><br>
<input type="submit" name="submit" value="submit">
</form>


On Server-Side, you check the Request("pw") against the value stored in
the database (don't forget to clean up the request string first to
prevent SQL injection ==> google).
This way, only the client knows the plain-text password, every further
step is encrypted.

HTH
Gottfried

 

[Roland Hall]

:
: Although it seems easier to put this all in one place, you might want to
: consider this:
:
: If you do the encryption all server-side, every client will send his/her
: password as plain-text over the internet.
:
: In my opinion (and for security reasons), I would use a client-side
: (JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the
: internet. (or use SSL to encrypt the whole data transfer between client
: and server)

I would normally use SSL, as all basic authentication should, but the
client-side alternative is a good suggestion.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[PJones]

check out www.aspprotect.com
or search www.aspin.com

 

[Bob Barrows [MVP]]

Why are you responding to month-old questions? The original poster is
unlikely to be paying attention to this thread anymore.

Bob Barrows

 

[M P]

its ok bob. I am still monitoring the thread. Thanks PJones!

 

[PJones]

gee, guess ya don't know everything bob

what did you do?, take over Aaron's job as newsgroup Ogar

 

[Bob Barrows [MVP]]

gee, guess ya don't know everything bob

Where did I use the word "know"? Let's see ... yes, the word I used is
"unlikely".

what did you do?, take over Aaron's job as newsgroup Ogar

And why is offering a helpful suggestion to you making me an "Ogar"? I would
be grateful if somebody pointed out to me that I was wasting my time
replying to a poster who might no longer be around. In fact, I did receive a
"thank you" once for this same sort of situation. A newcomer to the group
was replying to month-old questions. When I asked him about it, he stopped,
and a few days later, posted a thank you message saying that problems with
his ISP was causing delays in his receiving newsgroup posts. If I hadn't
said anything, he would never have contacted his ISP to fix the problem.

Bob Barrows

 

[PJones]

I got an idea, help people who need it and stop trying to the police the
newgroups.

It is futile, just like the 1000 times I have seen you bitch people out
because they were not doing something the way you would. Nobody came here
for a lecture. As a matter of fact it causes a lot of people to never come
back and gives them a real bad impression of the newgroups.

Maybe it is not meant to come across that way, but it sure does the way you
guys act.

Take a chill pill... if newgroups were meant to be perfect there would be
things in place to keep the things some of you do not like from happening.
Like Top Posting that Evertjan is always bitching about like a little girl.

Who the F!@# cares...

 

[Bob Barrows [MVP]]

I got an idea, help people who need it and stop trying to the police
the newgroups.

Well, given that you just completely ignored what I had to say, I guess you
have a bug up your ass and there's no point in carrying on this conversation
any further.

plonk

 

[McKirahan]

Where did I use the word "know"? Let's see ... yes, the word I used is
"unlikely".


And why is offering a helpful suggestion to you making me an "Ogar"?

[snip]

Perhaps he meant to call you an "ogre" as "Ogar" is not a word.

(And you don't deserve that label as you are a great resource.)