473,714 Members | 4,452 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Password Encryptor/Decryptor for ASP 3.0?

M P
Hi!

Im planning to encrypt the password that was stored on msaccess database and
also the text inputed from a password textbox. Also, if I want to get the
password from the database, I need to decrypt it so it can be comparable to
the one that is inputed on the textbox. Is there a way on how to handle
this?

MP
Oct 14 '05 #1
15 5313
M P wrote on 14 okt 2005 in microsoft.publi c.inetserver.as p.general:
Also, if I want to get the
password from the database, I need to decrypt it


Not the only way.
You also could,
if the encription proces is unique [=gives always the same result],
compare both encripted forms.

--
Evertjan.
The Netherlands.
(Replace all crosses with dots in my emailaddress)

Oct 14 '05 #2
M P wrote:
Hi!

Im planning to encrypt the password that was stored on msaccess database and
also the text inputed from a password textbox. Also, if I want to get the
password from the database, I need to decrypt it so it can be comparable to
the one that is inputed on the textbox. Is there a way on how to handle
this?

MP


Hi M P,

To store passwords, the one-way or "hash" algorhythms will be the most
useful to use:
As the name says, this is a one-way procedure, for example:

Password: mysecretpass
Hash (example): 28F9E2A118B3 <== Store this in DB

User inputs: mysecretpass
Calculate Hash: 28F9E2A118B3
Compare this to value stored in DB.
There are several different hash algorhythms around, the most commonly
used is called MD5:
http://www.aspfaq.com/show.asp?id=2397

The first example on this page is a implementation in JavaScript, this
ensures that the password is encrypted on the client computer and
submitted in the encrypted form.
HTH
Gottfried
Oct 14 '05 #3
M P
Hi!

Thanks for the reply. My question is how do I handle this MD5 algorithm? For
example, I have a login page, how do I use the javascript?

regards,
Me

"Gottfried Mayer" <ng*@NOOfusedSP AAAM.ch> wrote in message
news:e9******** ******@TK2MSFTN GP09.phx.gbl...
M P wrote:
Hi!

Im planning to encrypt the password that was stored on msaccess database
and
also the text inputed from a password textbox. Also, if I want to get the
password from the database, I need to decrypt it so it can be comparable
to
the one that is inputed on the textbox. Is there a way on how to handle
this?

MP


Hi M P,

To store passwords, the one-way or "hash" algorhythms will be the most
useful to use:
As the name says, this is a one-way procedure, for example:

Password: mysecretpass
Hash (example): 28F9E2A118B3 <== Store this in DB

User inputs: mysecretpass
Calculate Hash: 28F9E2A118B3
Compare this to value stored in DB.
There are several different hash algorhythms around, the most commonly
used is called MD5:
http://www.aspfaq.com/show.asp?id=2397

The first example on this page is a implementation in JavaScript, this
ensures that the password is encrypted on the client computer and
submitted in the encrypted form.
HTH
Gottfried

Oct 19 '05 #4
"M P" wrote in message news:%2******** *******@tk2msft ngp13.phx.gbl.. .
: Thanks for the reply. My question is how do I handle this MD5 algorithm?
For
: example, I have a login page, how do I use the javascript?

Please respond after responses, not before them.

You don't use javascript to do this. You do it on the server-side. If you
need a MD5 function already written to work in ASP, then go here:
http://www.frez.co.uk/freecode.htm#md5

The function is md5. I call it with:
eStr = md5(str)

I put it in it's own file and I include it into any page I need. A starter
example...

<%@ Langauge = "VBScript" %>
<%
Option Explicit
Response.Buffer = True
%>
<!--#include virtual="/asp/nocache.asp"-->
<!--#include virtual="/asp/md5.asp"-->
<%
dim username, password, ePassword, method
method = Request.ServerV ariables("REQUE ST_METHOD")
if method = "POST" then ' form has been posted
username = Server.HTMLEnco de(Replace(Requ est.Form("usern ame"),"'","''") )
password = Server.HTMLEnco de(Replace(Requ est.Form("passw ord"),"'","''") )
' form validation
' get password from database if username exists
ePassword = md5(password)
if ePassword = cPassword then
' write to log
' validate logon
session("user") = username
' redirect to welcome
else
' report error to user
' write to log
' redirect to logon
end if
end if
%>
<!-- display logon form -->

My nocache.asp page:

<%
with Response
.Expires = -1
.ExpiresAbsolut e = Now() - 1
.AddHeader "pragma", "no-cache"
.AddHeader "cache-control", "private"
.CacheControl = "no-cache"
end with
%>

HTH...

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp
Oct 19 '05 #5
Roland Hall wrote:
"M P" wrote in message news:%2******** *******@tk2msft ngp13.phx.gbl.. .
: Thanks for the reply. My question is how do I handle this MD5 algorithm?
For
: example, I have a login page, how do I use the javascript?

Please respond after responses, not before them.

You don't use javascript to do this. You do it on the server-side. If you
need a MD5 function already written to work in ASP, then go here:
http://www.frez.co.uk/freecode.htm#md5

The function is md5. I call it with:
eStr = md5(str)

I put it in it's own file and I include it into any page I need. A starter
example...

<%@ Langauge = "VBScript" %>
<%
Option Explicit
Response.Buffer = True
%>
<!--#include virtual="/asp/nocache.asp"-->
<!--#include virtual="/asp/md5.asp"-->
<%
dim username, password, ePassword, method
method = Request.ServerV ariables("REQUE ST_METHOD")
if method = "POST" then ' form has been posted
username = Server.HTMLEnco de(Replace(Requ est.Form("usern ame"),"'","''") )
password = Server.HTMLEnco de(Replace(Requ est.Form("passw ord"),"'","''") )
' form validation
' get password from database if username exists
ePassword = md5(password)
if ePassword = cPassword then
' write to log
' validate logon
session("user") = username
' redirect to welcome
else
' report error to user
' write to log
' redirect to logon
end if
end if
%>
<!-- display logon form -->

My nocache.asp page:

<%
with Response
.Expires = -1
.ExpiresAbsolut e = Now() - 1
.AddHeader "pragma", "no-cache"
.AddHeader "cache-control", "private"
.CacheControl = "no-cache"
end with
%>

HTH...


Although it seems easier to put this all in one place, you might want to
consider this:

If you do the encryption all server-side, every client will send his/her
password as plain-text over the internet.

In my opinion (and for security reasons), I would use a client-side
(JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the
internet. (or use SSL to encrypt the whole data transfer between client
and server)
just my 2 cents
Gottfried
Oct 19 '05 #6
M P wrote:
Hi!

Thanks for the reply. My question is how do I handle this MD5 algorithm? For
example, I have a login page, how do I use the javascript?

regards,
Me

"Gottfried Mayer" <ng*@NOOfusedSP AAAM.ch> wrote in message
news:e9******** ******@TK2MSFTN GP09.phx.gbl...
M P wrote:
Hi!

Im planning to encrypt the password that was stored on msaccess database
and
also the text inputed from a password textbox. Also, if I want to get the
password from the database, I need to decrypt it so it can be comparable
to
the one that is inputed on the textbox. Is there a way on how to handle
this?

MP


Hi M P,

To store passwords, the one-way or "hash" algorhythms will be the most
useful to use:
As the name says, this is a one-way procedure, for example:

Password: mysecretpass
Hash (example): 28F9E2A118B3 <== Store this in DB

User inputs: mysecretpass
Calculate Hash: 28F9E2A118B3
Compare this to value stored in DB.
There are several different hash algorhythms around, the most commonly
used is called MD5:
http://www.aspfaq.com/show.asp?id=2397

The first example on this page is a implementation in JavaScript, this
ensures that the password is encrypted on the client computer and
submitted in the encrypted form.
HTH
Gottfried



Hi M P,

You can read about the JavaScript implementation on this page:
http://pajhome.org.uk/crypt/md5/auth.html
(it even has a very interesting challange-response example to enhance
security further)
But basically, it works like this:

download md5.js, put it in your web dir.

load the JavaScript into the Login page:
<script src="md5.js" type="text/javascript"></script>

insert the md5 calculation in the onSubmit trigger of your login form:

example login form:
<form onSubmit="pw.va lue = hex_md5(pw.valu e);" name="loginform "
action="login.a sp" method="post">
User: <input type="text" name="un"><br>
Pass: <input type="password" name="pw"><br>
<input type="submit" name="submit" value="submit">
</form>
On Server-Side, you check the Request("pw") against the value stored in
the database (don't forget to clean up the request string first to
prevent SQL injection ==> google).
This way, only the client knows the plain-text password, every further
step is encrypted.

HTH
Gottfried
Oct 19 '05 #7
"Gottfried Mayer" <ng*@NOOfusedSP AAAM.ch> wrote in message
news:OK******** *****@TK2MSFTNG P10.phx.gbl...
:
: Although it seems easier to put this all in one place, you might want to
: consider this:
:
: If you do the encryption all server-side, every client will send his/her
: password as plain-text over the internet.
:
: In my opinion (and for security reasons), I would use a client-side
: (JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the
: internet. (or use SSL to encrypt the whole data transfer between client
: and server)

I would normally use SSL, as all basic authentication should, but the
client-side alternative is a good suggestion.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp
Oct 22 '05 #8
check out www.aspprotect.com
or search www.aspin.com
"Roland Hall" <nobody@nowhere > wrote in message
news:uB******** ******@TK2MSFTN GP15.phx.gbl...
"Gottfried Mayer" <ng*@NOOfusedSP AAAM.ch> wrote in message
news:OK******** *****@TK2MSFTNG P10.phx.gbl...
:
: Although it seems easier to put this all in one place, you might want to
: consider this:
:
: If you do the encryption all server-side, every client will send his/her
: password as plain-text over the internet.
:
: In my opinion (and for security reasons), I would use a client-side
: (JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the
: internet. (or use SSL to encrypt the whole data transfer between client
: and server)

I would normally use SSL, as all basic authentication should, but the
client-side alternative is a good suggestion.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation -
http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

Nov 27 '05 #9
Why are you responding to month-old questions? The original poster is
unlikely to be paying attention to this thread anymore.

Bob Barrows

PJones wrote:
check out www.aspprotect.com
or search www.aspin.com
"Roland Hall" <nobody@nowhere > wrote in message
news:uB******** ******@TK2MSFTN GP15.phx.gbl...
"Gottfried Mayer" <ng*@NOOfusedSP AAAM.ch> wrote in message
news:OK******** *****@TK2MSFTNG P10.phx.gbl...

Although it seems easier to put this all in one place, you might
want to consider this:

If you do the encryption all server-side, every client will send
his/her password as plain-text over the internet.

In my opinion (and for security reasons), I would use a client-side
(JavaScript) MD5 Hash to encrypt the password BEFORE sending it
over the internet. (or use SSL to encrypt the whole data transfer
between client and server)


I would normally use SSL, as all basic authentication should, but the
client-side alternative is a good suggestion.

--
Roland Hall
/* This information is distributed in the hope that it will be
useful, but without any warranty; without even the implied warranty
of merchantability or fitness for a particular purpose. */
Technet Script Center -
http://www.microsoft.com/technet/scriptcenter/ WSH 5.6 Documentation
- http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp


--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Nov 27 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

11
3707
by: John Victor | last post by:
In my mysql database, I've stored all the passwords using the PASSWORD() function. Now I'm running a test and need to compare the password in my php document to that saved in the database. I used the string "Select name From users Where password = PASSWORD('$testPass')" and ran mysql_query() using the string. But nothing was returned. So I decided to run a test and try to change a password from my php page using the string
3
14517
by: arktikturtle | last post by:
Hi! I'm looking for a way to validate a password within PL/SQL. I want to write CREATE PROCEDURE change_password(old_password IN VARCHAR2) IS BEGIN -- check if old_password is correct... but how? I can get the hashed value of the password from DBA_USERS, of course, but is there a way to hash old_password to see if it matches? (I wouldn't be
2
6009
by: Jill Elaine | last post by:
I am building an Access 2002 frontend with linked tables to an encrypted Paradox 7 database. When I first create these linked tables, I'm asked for the password to the encrypted Paradox database, and the linked tables are successfully created. I use the data from these linked tables in several forms. All works great until I close the Access frontend and open it again. When I try to use the forms, I get an error message: "Could not...
10
9883
by: Fabrizio | last post by:
(Sorry for the crosspost, but I really don't know which is the right newsgroup!) Hi all, I try to change the password to a user that as to change the password at first logon: try {
6
2297
by: Andre Ranieri | last post by:
I'm trying to create a login page for customers to log into our corporate website, our presidents naturally wants the user and password fields to populate from a cookie so the customer doesn't have to type their credentials every time, this seems like a pretty common thing. However, when I try to populate the password HTML textbox from the cookie, the textbox remains blank. However, if I try this from an equivalent web control, the...
8
3640
by: Gabor | last post by:
Hi, I have an app. that uses an MSDE database. I hardcoded the login and password in the application, but it is very simple to see with an ILDASM.exe tool. Is it any procedure to obscure the hard coded connection string, or how can I connect to the database with an encrypted password? Thanks in advance
5
1701
by: Skeleton Man | last post by:
Hi, I came across the basic algorithmfor decrypting WS_FTP Pro 6 passwords as follows, and I'm trying to reverse it to make an encryption function: function ws_dec() { var str = prompt('Enter encrypted password (including PWD=):',''); var output = ''; passw=str.substring(37,str.length);
7
4125
by: polychrom | last post by:
Is there some handy Javascript encryptor based on XOR algorithm? (html page with encoded javascript will have a "decoder stub" prefixed before the code that is actually executed.)
20
3021
by: _mario.lat | last post by:
hallo, I use PHP and I'd like to not write in hardcoded way password and login to access to mysql. how to not write password in code for access to mysql? How can I do? I'd like that who see my code don't see my paswords. there is a solution? Thank you in advance. Mario.
0
8808
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
8712
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
1
9077
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
7954
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
6638
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5959
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4466
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4729
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
3
2113
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.