Password Encryptor/Decryptor for ASP 3.0?

Discussion in 'ASP General' started by M P, Oct 14, 2005.

  1. M P

    M P Guest

    Hi!

    Im planning to encrypt the password that was stored on msaccess database and
    also the text inputed from a password textbox. Also, if I want to get the
    password from the database, I need to decrypt it so it can be comparable to
    the one that is inputed on the textbox. Is there a way on how to handle
    this?

    MP
    M P, Oct 14, 2005
    #1
    1. Advertising

  2. M P

    Evertjan. Guest

    M P wrote on 14 okt 2005 in microsoft.public.inetserver.asp.general:

    > Also, if I want to get the
    > password from the database, I need to decrypt it


    Not the only way.
    You also could,
    if the encription proces is unique [=gives always the same result],
    compare both encripted forms.

    --
    Evertjan.
    The Netherlands.
    (Replace all crosses with dots in my emailaddress)
    Evertjan., Oct 14, 2005
    #2
    1. Advertising

  3. M P wrote:
    > Hi!
    >
    > Im planning to encrypt the password that was stored on msaccess database and
    > also the text inputed from a password textbox. Also, if I want to get the
    > password from the database, I need to decrypt it so it can be comparable to
    > the one that is inputed on the textbox. Is there a way on how to handle
    > this?
    >
    > MP
    >
    >


    Hi M P,

    To store passwords, the one-way or "hash" algorhythms will be the most
    useful to use:
    As the name says, this is a one-way procedure, for example:

    Password: mysecretpass
    Hash (example): 28F9E2A118B3 <== Store this in DB

    User inputs: mysecretpass
    Calculate Hash: 28F9E2A118B3
    Compare this to value stored in DB.


    There are several different hash algorhythms around, the most commonly
    used is called MD5:
    http://www.aspfaq.com/show.asp?id=2397

    The first example on this page is a implementation in JavaScript, this
    ensures that the password is encrypted on the client computer and
    submitted in the encrypted form.


    HTH
    Gottfried
    Gottfried Mayer, Oct 14, 2005
    #3
  4. M P

    M P Guest

    Hi!

    Thanks for the reply. My question is how do I handle this MD5 algorithm? For
    example, I have a login page, how do I use the javascript?

    regards,
    Me

    "Gottfried Mayer" <> wrote in message
    news:e9m$...
    >M P wrote:
    >> Hi!
    >>
    >> Im planning to encrypt the password that was stored on msaccess database
    >> and
    >> also the text inputed from a password textbox. Also, if I want to get the
    >> password from the database, I need to decrypt it so it can be comparable
    >> to
    >> the one that is inputed on the textbox. Is there a way on how to handle
    >> this?
    >>
    >> MP
    >>
    >>

    >
    > Hi M P,
    >
    > To store passwords, the one-way or "hash" algorhythms will be the most
    > useful to use:
    > As the name says, this is a one-way procedure, for example:
    >
    > Password: mysecretpass
    > Hash (example): 28F9E2A118B3 <== Store this in DB
    >
    > User inputs: mysecretpass
    > Calculate Hash: 28F9E2A118B3
    > Compare this to value stored in DB.
    >
    >
    > There are several different hash algorhythms around, the most commonly
    > used is called MD5:
    > http://www.aspfaq.com/show.asp?id=2397
    >
    > The first example on this page is a implementation in JavaScript, this
    > ensures that the password is encrypted on the client computer and
    > submitted in the encrypted form.
    >
    >
    > HTH
    > Gottfried
    M P, Oct 19, 2005
    #4
  5. M P

    Roland Hall Guest

    "M P" wrote in message news:%...
    : Thanks for the reply. My question is how do I handle this MD5 algorithm?
    For
    : example, I have a login page, how do I use the javascript?

    Please respond after responses, not before them.

    You don't use javascript to do this. You do it on the server-side. If you
    need a MD5 function already written to work in ASP, then go here:
    http://www.frez.co.uk/freecode.htm#md5

    The function is md5. I call it with:
    eStr = md5(str)

    I put it in it's own file and I include it into any page I need. A starter
    example...

    <%@ Langauge = "VBScript" %>
    <%
    Option Explicit
    Response.Buffer = True
    %>
    <!--#include virtual="/asp/nocache.asp"-->
    <!--#include virtual="/asp/md5.asp"-->
    <%
    dim username, password, ePassword, method
    method = Request.ServerVariables("REQUEST_METHOD")
    if method = "POST" then ' form has been posted
    username = Server.HTMLEncode(Replace(Request.Form("username"),"'","''"))
    password = Server.HTMLEncode(Replace(Request.Form("password"),"'","''"))
    ' form validation
    ' get password from database if username exists
    ePassword = md5(password)
    if ePassword = cPassword then
    ' write to log
    ' validate logon
    session("user") = username
    ' redirect to welcome
    else
    ' report error to user
    ' write to log
    ' redirect to logon
    end if
    end if
    %>
    <!-- display logon form -->

    My nocache.asp page:

    <%
    with Response
    .Expires = -1
    .ExpiresAbsolute = Now() - 1
    .AddHeader "pragma", "no-cache"
    .AddHeader "cache-control", "private"
    .CacheControl = "no-cache"
    end with
    %>

    HTH...

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
    Roland Hall, Oct 19, 2005
    #5
  6. Roland Hall wrote:
    > "M P" wrote in message news:%...
    > : Thanks for the reply. My question is how do I handle this MD5 algorithm?
    > For
    > : example, I have a login page, how do I use the javascript?
    >
    > Please respond after responses, not before them.
    >
    > You don't use javascript to do this. You do it on the server-side. If you
    > need a MD5 function already written to work in ASP, then go here:
    > http://www.frez.co.uk/freecode.htm#md5
    >
    > The function is md5. I call it with:
    > eStr = md5(str)
    >
    > I put it in it's own file and I include it into any page I need. A starter
    > example...
    >
    > <%@ Langauge = "VBScript" %>
    > <%
    > Option Explicit
    > Response.Buffer = True
    > %>
    > <!--#include virtual="/asp/nocache.asp"-->
    > <!--#include virtual="/asp/md5.asp"-->
    > <%
    > dim username, password, ePassword, method
    > method = Request.ServerVariables("REQUEST_METHOD")
    > if method = "POST" then ' form has been posted
    > username = Server.HTMLEncode(Replace(Request.Form("username"),"'","''"))
    > password = Server.HTMLEncode(Replace(Request.Form("password"),"'","''"))
    > ' form validation
    > ' get password from database if username exists
    > ePassword = md5(password)
    > if ePassword = cPassword then
    > ' write to log
    > ' validate logon
    > session("user") = username
    > ' redirect to welcome
    > else
    > ' report error to user
    > ' write to log
    > ' redirect to logon
    > end if
    > end if
    > %>
    > <!-- display logon form -->
    >
    > My nocache.asp page:
    >
    > <%
    > with Response
    > .Expires = -1
    > .ExpiresAbsolute = Now() - 1
    > .AddHeader "pragma", "no-cache"
    > .AddHeader "cache-control", "private"
    > .CacheControl = "no-cache"
    > end with
    > %>
    >
    > HTH...
    >


    Although it seems easier to put this all in one place, you might want to
    consider this:

    If you do the encryption all server-side, every client will send his/her
    password as plain-text over the internet.

    In my opinion (and for security reasons), I would use a client-side
    (JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the
    internet. (or use SSL to encrypt the whole data transfer between client
    and server)


    just my 2 cents
    Gottfried
    Gottfried Mayer, Oct 19, 2005
    #6
  7. M P wrote:
    > Hi!
    >
    > Thanks for the reply. My question is how do I handle this MD5 algorithm? For
    > example, I have a login page, how do I use the javascript?
    >
    > regards,
    > Me
    >
    > "Gottfried Mayer" <> wrote in message
    > news:e9m$...
    >
    >>M P wrote:
    >>
    >>>Hi!
    >>>
    >>>Im planning to encrypt the password that was stored on msaccess database
    >>>and
    >>>also the text inputed from a password textbox. Also, if I want to get the
    >>>password from the database, I need to decrypt it so it can be comparable
    >>>to
    >>>the one that is inputed on the textbox. Is there a way on how to handle
    >>>this?
    >>>
    >>>MP
    >>>
    >>>

    >>
    >>Hi M P,
    >>
    >>To store passwords, the one-way or "hash" algorhythms will be the most
    >>useful to use:
    >>As the name says, this is a one-way procedure, for example:
    >>
    >>Password: mysecretpass
    >>Hash (example): 28F9E2A118B3 <== Store this in DB
    >>
    >>User inputs: mysecretpass
    >>Calculate Hash: 28F9E2A118B3
    >>Compare this to value stored in DB.
    >>
    >>
    >>There are several different hash algorhythms around, the most commonly
    >>used is called MD5:
    >>http://www.aspfaq.com/show.asp?id=2397
    >>
    >>The first example on this page is a implementation in JavaScript, this
    >>ensures that the password is encrypted on the client computer and
    >>submitted in the encrypted form.
    >>
    >>
    >>HTH
    >> Gottfried

    >
    >
    >


    Hi M P,

    You can read about the JavaScript implementation on this page:
    http://pajhome.org.uk/crypt/md5/auth.html
    (it even has a very interesting challange-response example to enhance
    security further)


    But basically, it works like this:

    download md5.js, put it in your web dir.

    load the JavaScript into the Login page:
    <script src="md5.js" type="text/javascript"></script>

    insert the md5 calculation in the onSubmit trigger of your login form:

    example login form:
    <form onSubmit="pw.value = hex_md5(pw.value);" name="loginform"
    action="login.asp" method="post">
    User: <input type="text" name="un"><br>
    Pass: <input type="password" name="pw"><br>
    <input type="submit" name="submit" value="submit">
    </form>


    On Server-Side, you check the Request("pw") against the value stored in
    the database (don't forget to clean up the request string first to
    prevent SQL injection ==> google).
    This way, only the client knows the plain-text password, every further
    step is encrypted.

    HTH
    Gottfried
    Gottfried Mayer, Oct 19, 2005
    #7
  8. M P

    Roland Hall Guest

    "Gottfried Mayer" <> wrote in message
    news:...
    :
    : Although it seems easier to put this all in one place, you might want to
    : consider this:
    :
    : If you do the encryption all server-side, every client will send his/her
    : password as plain-text over the internet.
    :
    : In my opinion (and for security reasons), I would use a client-side
    : (JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the
    : internet. (or use SSL to encrypt the whole data transfer between client
    : and server)

    I would normally use SSL, as all basic authentication should, but the
    client-side alternative is a good suggestion.

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
    Roland Hall, Oct 22, 2005
    #8
  9. M P

    PJones Guest

    check out www.aspprotect.com
    or search www.aspin.com


    "Roland Hall" <nobody@nowhere> wrote in message
    news:...
    > "Gottfried Mayer" <> wrote in message
    > news:...
    > :
    > : Although it seems easier to put this all in one place, you might want to
    > : consider this:
    > :
    > : If you do the encryption all server-side, every client will send his/her
    > : password as plain-text over the internet.
    > :
    > : In my opinion (and for security reasons), I would use a client-side
    > : (JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the
    > : internet. (or use SSL to encrypt the whole data transfer between client
    > : and server)
    >
    > I would normally use SSL, as all basic authentication should, but the
    > client-side alternative is a good suggestion.
    >
    > --
    > Roland Hall
    > /* This information is distributed in the hope that it will be useful, but
    > without any warranty; without even the implied warranty of merchantability
    > or fitness for a particular purpose. */
    > Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    > WSH 5.6 Documentation -
    > http://msdn.microsoft.com/downloads/list/webdev.asp
    > MSDN Library - http://msdn.microsoft.com/library/default.asp
    >
    >
    PJones, Nov 27, 2005
    #9
  10. Why are you responding to month-old questions? The original poster is
    unlikely to be paying attention to this thread anymore.

    Bob Barrows

    PJones wrote:
    > check out www.aspprotect.com
    > or search www.aspin.com
    >
    >
    > "Roland Hall" <nobody@nowhere> wrote in message
    > news:...
    >> "Gottfried Mayer" <> wrote in message
    >> news:...
    >>>
    >>> Although it seems easier to put this all in one place, you might
    >>> want to consider this:
    >>>
    >>> If you do the encryption all server-side, every client will send
    >>> his/her password as plain-text over the internet.
    >>>
    >>> In my opinion (and for security reasons), I would use a client-side
    >>> (JavaScript) MD5 Hash to encrypt the password BEFORE sending it
    >>> over the internet. (or use SSL to encrypt the whole data transfer
    >>> between client and server)

    >>
    >> I would normally use SSL, as all basic authentication should, but the
    >> client-side alternative is a good suggestion.
    >>
    >> --
    >> Roland Hall
    >> /* This information is distributed in the hope that it will be
    >> useful, but without any warranty; without even the implied warranty
    >> of merchantability or fitness for a particular purpose. */
    >> Technet Script Center -
    >> http://www.microsoft.com/technet/scriptcenter/ WSH 5.6 Documentation
    >> - http://msdn.microsoft.com/downloads/list/webdev.asp
    >> MSDN Library - http://msdn.microsoft.com/library/default.asp


    --
    Microsoft MVP - ASP/ASP.NET
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
    Bob Barrows [MVP], Nov 27, 2005
    #10
  11. M P

    M P Guest

    its ok bob. I am still monitoring the thread. Thanks PJones!

    "Bob Barrows [MVP]" <> wrote in message
    news:%...
    > Why are you responding to month-old questions? The original poster is
    > unlikely to be paying attention to this thread anymore.
    >
    > Bob Barrows
    >
    > PJones wrote:
    >> check out www.aspprotect.com
    >> or search www.aspin.com
    >>
    >>
    >> "Roland Hall" <nobody@nowhere> wrote in message
    >> news:...
    >>> "Gottfried Mayer" <> wrote in message
    >>> news:...
    >>>>
    >>>> Although it seems easier to put this all in one place, you might
    >>>> want to consider this:
    >>>>
    >>>> If you do the encryption all server-side, every client will send
    >>>> his/her password as plain-text over the internet.
    >>>>
    >>>> In my opinion (and for security reasons), I would use a client-side
    >>>> (JavaScript) MD5 Hash to encrypt the password BEFORE sending it
    >>>> over the internet. (or use SSL to encrypt the whole data transfer
    >>>> between client and server)
    >>>
    >>> I would normally use SSL, as all basic authentication should, but the
    >>> client-side alternative is a good suggestion.
    >>>
    >>> --
    >>> Roland Hall
    >>> /* This information is distributed in the hope that it will be
    >>> useful, but without any warranty; without even the implied warranty
    >>> of merchantability or fitness for a particular purpose. */
    >>> Technet Script Center -
    >>> http://www.microsoft.com/technet/scriptcenter/ WSH 5.6 Documentation
    >>> - http://msdn.microsoft.com/downloads/list/webdev.asp
    >>> MSDN Library - http://msdn.microsoft.com/library/default.asp

    >
    > --
    > Microsoft MVP - ASP/ASP.NET
    > Please reply to the newsgroup. This email account is my spam trap so I
    > don't check it very often. If you must reply off-line, then remove the
    > "NO SPAM"
    >
    M P, Nov 30, 2005
    #11
  12. M P

    PJones Guest

    gee, guess ya don't know everything bob

    what did you do?, take over Aaron's job as newsgroup Ogar



    "M P" <> wrote in message
    news:%...
    > its ok bob. I am still monitoring the thread. Thanks PJones!
    >
    > "Bob Barrows [MVP]" <> wrote in message
    > news:%...
    >> Why are you responding to month-old questions? The original poster is
    >> unlikely to be paying attention to this thread anymore.
    >>
    >> Bob Barrows
    >>
    >> PJones wrote:
    >>> check out www.aspprotect.com
    >>> or search www.aspin.com
    >>>
    >>>
    >>> "Roland Hall" <nobody@nowhere> wrote in message
    >>> news:...
    >>>> "Gottfried Mayer" <> wrote in message
    >>>> news:...
    >>>>>
    >>>>> Although it seems easier to put this all in one place, you might
    >>>>> want to consider this:
    >>>>>
    >>>>> If you do the encryption all server-side, every client will send
    >>>>> his/her password as plain-text over the internet.
    >>>>>
    >>>>> In my opinion (and for security reasons), I would use a client-side
    >>>>> (JavaScript) MD5 Hash to encrypt the password BEFORE sending it
    >>>>> over the internet. (or use SSL to encrypt the whole data transfer
    >>>>> between client and server)
    >>>>
    >>>> I would normally use SSL, as all basic authentication should, but the
    >>>> client-side alternative is a good suggestion.
    >>>>
    >>>> --
    >>>> Roland Hall
    >>>> /* This information is distributed in the hope that it will be
    >>>> useful, but without any warranty; without even the implied warranty
    >>>> of merchantability or fitness for a particular purpose. */
    >>>> Technet Script Center -
    >>>> http://www.microsoft.com/technet/scriptcenter/ WSH 5.6 Documentation
    >>>> - http://msdn.microsoft.com/downloads/list/webdev.asp
    >>>> MSDN Library - http://msdn.microsoft.com/library/default.asp

    >>
    >> --
    >> Microsoft MVP - ASP/ASP.NET
    >> Please reply to the newsgroup. This email account is my spam trap so I
    >> don't check it very often. If you must reply off-line, then remove the
    >> "NO SPAM"
    >>

    >
    >
    PJones, Dec 1, 2005
    #12
  13. PJones wrote:
    > gee, guess ya don't know everything bob
    >

    Where did I use the word "know"? Let's see ... yes, the word I used is
    "unlikely".

    > what did you do?, take over Aaron's job as newsgroup Ogar


    And why is offering a helpful suggestion to you making me an "Ogar"? I would
    be grateful if somebody pointed out to me that I was wasting my time
    replying to a poster who might no longer be around. In fact, I did receive a
    "thank you" once for this same sort of situation. A newcomer to the group
    was replying to month-old questions. When I asked him about it, he stopped,
    and a few days later, posted a thank you message saying that problems with
    his ISP was causing delays in his receiving newsgroup posts. If I hadn't
    said anything, he would never have contacted his ISP to fix the problem.

    Bob Barrows
    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Dec 1, 2005
    #13
  14. M P

    PJones Guest

    I got an idea, help people who need it and stop trying to the police the
    newgroups.

    It is futile, just like the 1000 times I have seen you bitch people out
    because they were not doing something the way you would. Nobody came here
    for a lecture. As a matter of fact it causes a lot of people to never come
    back and gives them a real bad impression of the newgroups.

    Maybe it is not meant to come across that way, but it sure does the way you
    guys act.

    Take a chill pill... if newgroups were meant to be perfect there would be
    things in place to keep the things some of you do not like from happening.
    Like Top Posting that Evertjan is always bitching about like a little girl.

    Who the F!@# cares...




    "Bob Barrows [MVP]" <> wrote in message
    news:%23N$...
    > PJones wrote:
    >> gee, guess ya don't know everything bob
    >>

    > Where did I use the word "know"? Let's see ... yes, the word I used is
    > "unlikely".
    >
    >> what did you do?, take over Aaron's job as newsgroup Ogar

    >
    > And why is offering a helpful suggestion to you making me an "Ogar"? I
    > would
    > be grateful if somebody pointed out to me that I was wasting my time
    > replying to a poster who might no longer be around. In fact, I did receive
    > a
    > "thank you" once for this same sort of situation. A newcomer to the group
    > was replying to month-old questions. When I asked him about it, he
    > stopped,
    > and a few days later, posted a thank you message saying that problems with
    > his ISP was causing delays in his receiving newsgroup posts. If I hadn't
    > said anything, he would never have contacted his ISP to fix the problem.
    >
    > Bob Barrows
    > --
    > Microsoft MVP -- ASP/ASP.NET
    > Please reply to the newsgroup. The email account listed in my From
    > header is my spam trap, so I don't check it very often. You will get a
    > quicker response by posting to the newsgroup.
    >
    >
    PJones, Dec 1, 2005
    #14
  15. PJones wrote:
    > I got an idea, help people who need it and stop trying to the police
    > the newgroups.


    Well, given that you just completely ignored what I had to say, I guess you
    have a bug up your ass and there's no point in carrying on this conversation
    any further.

    plonk
    --
    Microsoft MVP - ASP/ASP.NET
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
    Bob Barrows [MVP], Dec 1, 2005
    #15
  16. M P

    McKirahan Guest

    "Bob Barrows [MVP]" <> wrote in message
    news:#N$...
    > PJones wrote:
    > > gee, guess ya don't know everything bob
    > >

    > Where did I use the word "know"? Let's see ... yes, the word I used is
    > "unlikely".
    >
    > > what did you do?, take over Aaron's job as newsgroup Ogar

    >
    > And why is offering a helpful suggestion to you making me an "Ogar"?


    [snip]

    Perhaps he meant to call you an "ogre" as "Ogar" is not a word.

    (And you don't deserve that label as you are a great resource.)
    McKirahan, Dec 2, 2005
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ivan Drucker

    Good obfuscator/encryptor?

    Ivan Drucker, May 9, 2005, in forum: Java
    Replies:
    1
    Views:
    489
  2. Cliff R.

    Anyone use Mailto Encryptor?

    Cliff R., Mar 3, 2004, in forum: HTML
    Replies:
    4
    Views:
    1,067
    Spartanicus
    Mar 4, 2004
  3. AAaron123
    Replies:
    2
    Views:
    2,140
    AAaron123
    Jan 16, 2009
  4. Skeleton Man

    help with simple password encryptor

    Skeleton Man, Dec 31, 2005, in forum: Javascript
    Replies:
    4
    Views:
    101
    Skeleton Man
    Jan 1, 2006
  5. Javascript encryptor XOR

    , May 25, 2006, in forum: Javascript
    Replies:
    7
    Views:
    237
    Julian Turner
    May 26, 2006
Loading...

Share This Page