Hi!
Im planning to encrypt the password that was stored on msaccess database and
also the text inputed from a password textbox. Also, if I want to get the
password from the database, I need to decrypt it so it can be comparable to
the one that is inputed on the textbox. Is there a way on how to handle
this?
MP 15 5290
M P wrote on 14 okt 2005 in microsoft.public.inetserver.asp.general: Also, if I want to get the password from the database, I need to decrypt it
Not the only way.
You also could,
if the encription proces is unique [=gives always the same result],
compare both encripted forms.
--
Evertjan.
The Netherlands.
(Replace all crosses with dots in my emailaddress)
M P wrote: Hi!
Im planning to encrypt the password that was stored on msaccess database and also the text inputed from a password textbox. Also, if I want to get the password from the database, I need to decrypt it so it can be comparable to the one that is inputed on the textbox. Is there a way on how to handle this?
MP
Hi M P,
To store passwords, the one-way or "hash" algorhythms will be the most
useful to use:
As the name says, this is a one-way procedure, for example:
Password: mysecretpass
Hash (example): 28F9E2A118B3 <== Store this in DB
User inputs: mysecretpass
Calculate Hash: 28F9E2A118B3
Compare this to value stored in DB.
There are several different hash algorhythms around, the most commonly
used is called MD5: http://www.aspfaq.com/show.asp?id=2397
The first example on this page is a implementation in JavaScript, this
ensures that the password is encrypted on the client computer and
submitted in the encrypted form.
HTH
Gottfried
Hi!
Thanks for the reply. My question is how do I handle this MD5 algorithm? For
example, I have a login page, how do I use the javascript?
regards,
Me
"Gottfried Mayer" <ng*@NOOfusedSPAAAM.ch> wrote in message
news:e9**************@TK2MSFTNGP09.phx.gbl... M P wrote: Hi!
Im planning to encrypt the password that was stored on msaccess database and also the text inputed from a password textbox. Also, if I want to get the password from the database, I need to decrypt it so it can be comparable to the one that is inputed on the textbox. Is there a way on how to handle this?
MP
Hi M P,
To store passwords, the one-way or "hash" algorhythms will be the most useful to use: As the name says, this is a one-way procedure, for example:
Password: mysecretpass Hash (example): 28F9E2A118B3 <== Store this in DB
User inputs: mysecretpass Calculate Hash: 28F9E2A118B3 Compare this to value stored in DB.
There are several different hash algorhythms around, the most commonly used is called MD5: http://www.aspfaq.com/show.asp?id=2397
The first example on this page is a implementation in JavaScript, this ensures that the password is encrypted on the client computer and submitted in the encrypted form.
HTH Gottfried
"M P" wrote in message news:%2***************@tk2msftngp13.phx.gbl...
: Thanks for the reply. My question is how do I handle this MD5 algorithm?
For
: example, I have a login page, how do I use the javascript?
Please respond after responses, not before them.
You don't use javascript to do this. You do it on the server-side. If you
need a MD5 function already written to work in ASP, then go here: http://www.frez.co.uk/freecode.htm#md5
The function is md5. I call it with:
eStr = md5(str)
I put it in it's own file and I include it into any page I need. A starter
example...
<%@ Langauge = "VBScript" %>
<%
Option Explicit
Response.Buffer = True
%>
<!--#include virtual="/asp/nocache.asp"-->
<!--#include virtual="/asp/md5.asp"-->
<%
dim username, password, ePassword, method
method = Request.ServerVariables("REQUEST_METHOD")
if method = "POST" then ' form has been posted
username = Server.HTMLEncode(Replace(Request.Form("username") ,"'","''"))
password = Server.HTMLEncode(Replace(Request.Form("password") ,"'","''"))
' form validation
' get password from database if username exists
ePassword = md5(password)
if ePassword = cPassword then
' write to log
' validate logon
session("user") = username
' redirect to welcome
else
' report error to user
' write to log
' redirect to logon
end if
end if
%>
<!-- display logon form -->
My nocache.asp page:
<%
with Response
.Expires = -1
.ExpiresAbsolute = Now() - 1
.AddHeader "pragma", "no-cache"
.AddHeader "cache-control", "private"
.CacheControl = "no-cache"
end with
%>
HTH...
--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp
Roland Hall wrote: "M P" wrote in message news:%2***************@tk2msftngp13.phx.gbl... : Thanks for the reply. My question is how do I handle this MD5 algorithm? For : example, I have a login page, how do I use the javascript?
Please respond after responses, not before them.
You don't use javascript to do this. You do it on the server-side. If you need a MD5 function already written to work in ASP, then go here: http://www.frez.co.uk/freecode.htm#md5
The function is md5. I call it with: eStr = md5(str)
I put it in it's own file and I include it into any page I need. A starter example...
<%@ Langauge = "VBScript" %> <% Option Explicit Response.Buffer = True %> <!--#include virtual="/asp/nocache.asp"--> <!--#include virtual="/asp/md5.asp"--> <% dim username, password, ePassword, method method = Request.ServerVariables("REQUEST_METHOD") if method = "POST" then ' form has been posted username = Server.HTMLEncode(Replace(Request.Form("username") ,"'","''")) password = Server.HTMLEncode(Replace(Request.Form("password") ,"'","''")) ' form validation ' get password from database if username exists ePassword = md5(password) if ePassword = cPassword then ' write to log ' validate logon session("user") = username ' redirect to welcome else ' report error to user ' write to log ' redirect to logon end if end if %> <!-- display logon form -->
My nocache.asp page:
<% with Response .Expires = -1 .ExpiresAbsolute = Now() - 1 .AddHeader "pragma", "no-cache" .AddHeader "cache-control", "private" .CacheControl = "no-cache" end with %>
HTH...
Although it seems easier to put this all in one place, you might want to
consider this:
If you do the encryption all server-side, every client will send his/her
password as plain-text over the internet.
In my opinion (and for security reasons), I would use a client-side
(JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the
internet. (or use SSL to encrypt the whole data transfer between client
and server)
just my 2 cents
Gottfried
M P wrote: Hi!
Thanks for the reply. My question is how do I handle this MD5 algorithm? For example, I have a login page, how do I use the javascript?
regards, Me
"Gottfried Mayer" <ng*@NOOfusedSPAAAM.ch> wrote in message news:e9**************@TK2MSFTNGP09.phx.gbl...
M P wrote:
Hi!
Im planning to encrypt the password that was stored on msaccess database and also the text inputed from a password textbox. Also, if I want to get the password from the database, I need to decrypt it so it can be comparable to the one that is inputed on the textbox. Is there a way on how to handle this?
MP
Hi M P,
To store passwords, the one-way or "hash" algorhythms will be the most useful to use: As the name says, this is a one-way procedure, for example:
Password: mysecretpass Hash (example): 28F9E2A118B3 <== Store this in DB
User inputs: mysecretpass Calculate Hash: 28F9E2A118B3 Compare this to value stored in DB.
There are several different hash algorhythms around, the most commonly used is called MD5: http://www.aspfaq.com/show.asp?id=2397
The first example on this page is a implementation in JavaScript, this ensures that the password is encrypted on the client computer and submitted in the encrypted form.
HTH Gottfried
Hi M P,
You can read about the JavaScript implementation on this page: http://pajhome.org.uk/crypt/md5/auth.html
(it even has a very interesting challange-response example to enhance
security further)
But basically, it works like this:
download md5.js, put it in your web dir.
load the JavaScript into the Login page:
<script src="md5.js" type="text/javascript"></script>
insert the md5 calculation in the onSubmit trigger of your login form:
example login form:
<form onSubmit="pw.value = hex_md5(pw.value);" name="loginform"
action="login.asp" method="post">
User: <input type="text" name="un"><br>
Pass: <input type="password" name="pw"><br>
<input type="submit" name="submit" value="submit">
</form>
On Server-Side, you check the Request("pw") against the value stored in
the database (don't forget to clean up the request string first to
prevent SQL injection ==> google).
This way, only the client knows the plain-text password, every further
step is encrypted.
HTH
Gottfried
"Gottfried Mayer" <ng*@NOOfusedSPAAAM.ch> wrote in message
news:OK*************@TK2MSFTNGP10.phx.gbl...
:
: Although it seems easier to put this all in one place, you might want to
: consider this:
:
: If you do the encryption all server-side, every client will send his/her
: password as plain-text over the internet.
:
: In my opinion (and for security reasons), I would use a client-side
: (JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the
: internet. (or use SSL to encrypt the whole data transfer between client
: and server)
I would normally use SSL, as all basic authentication should, but the
client-side alternative is a good suggestion.
--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp
check out www.aspprotect.com
or search www.aspin.com
"Roland Hall" <nobody@nowhere> wrote in message
news:uB**************@TK2MSFTNGP15.phx.gbl... "Gottfried Mayer" <ng*@NOOfusedSPAAAM.ch> wrote in message news:OK*************@TK2MSFTNGP10.phx.gbl... : : Although it seems easier to put this all in one place, you might want to : consider this: : : If you do the encryption all server-side, every client will send his/her : password as plain-text over the internet. : : In my opinion (and for security reasons), I would use a client-side : (JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the : internet. (or use SSL to encrypt the whole data transfer between client : and server)
I would normally use SSL, as all basic authentication should, but the client-side alternative is a good suggestion.
-- Roland Hall /* This information is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. */ Technet Script Center - http://www.microsoft.com/technet/scriptcenter/ WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp MSDN Library - http://msdn.microsoft.com/library/default.asp
Why are you responding to month-old questions? The original poster is
unlikely to be paying attention to this thread anymore.
Bob Barrows
PJones wrote: check out www.aspprotect.com or search www.aspin.com
"Roland Hall" <nobody@nowhere> wrote in message news:uB**************@TK2MSFTNGP15.phx.gbl... "Gottfried Mayer" <ng*@NOOfusedSPAAAM.ch> wrote in message news:OK*************@TK2MSFTNGP10.phx.gbl... Although it seems easier to put this all in one place, you might want to consider this:
If you do the encryption all server-side, every client will send his/her password as plain-text over the internet.
In my opinion (and for security reasons), I would use a client-side (JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the internet. (or use SSL to encrypt the whole data transfer between client and server)
I would normally use SSL, as all basic authentication should, but the client-side alternative is a good suggestion.
-- Roland Hall /* This information is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. */ Technet Script Center - http://www.microsoft.com/technet/scriptcenter/ WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp MSDN Library - http://msdn.microsoft.com/library/default.asp
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
its ok bob. I am still monitoring the thread. Thanks PJones!
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl... Why are you responding to month-old questions? The original poster is unlikely to be paying attention to this thread anymore.
Bob Barrows
PJones wrote: check out www.aspprotect.com or search www.aspin.com
"Roland Hall" <nobody@nowhere> wrote in message news:uB**************@TK2MSFTNGP15.phx.gbl... "Gottfried Mayer" <ng*@NOOfusedSPAAAM.ch> wrote in message news:OK*************@TK2MSFTNGP10.phx.gbl...
Although it seems easier to put this all in one place, you might want to consider this:
If you do the encryption all server-side, every client will send his/her password as plain-text over the internet.
In my opinion (and for security reasons), I would use a client-side (JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the internet. (or use SSL to encrypt the whole data transfer between client and server)
I would normally use SSL, as all basic authentication should, but the client-side alternative is a good suggestion.
-- Roland Hall /* This information is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. */ Technet Script Center - http://www.microsoft.com/technet/scriptcenter/ WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp MSDN Library - http://msdn.microsoft.com/library/default.asp
-- Microsoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
gee, guess ya don't know everything bob
what did you do?, take over Aaron's job as newsgroup Ogar
"M P" <ma**@textguru.ph> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl... its ok bob. I am still monitoring the thread. Thanks PJones!
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message news:%2***************@TK2MSFTNGP12.phx.gbl... Why are you responding to month-old questions? The original poster is unlikely to be paying attention to this thread anymore.
Bob Barrows
PJones wrote: check out www.aspprotect.com or search www.aspin.com
"Roland Hall" <nobody@nowhere> wrote in message news:uB**************@TK2MSFTNGP15.phx.gbl... "Gottfried Mayer" <ng*@NOOfusedSPAAAM.ch> wrote in message news:OK*************@TK2MSFTNGP10.phx.gbl... > > Although it seems easier to put this all in one place, you might > want to consider this: > > If you do the encryption all server-side, every client will send > his/her password as plain-text over the internet. > > In my opinion (and for security reasons), I would use a client-side > (JavaScript) MD5 Hash to encrypt the password BEFORE sending it > over the internet. (or use SSL to encrypt the whole data transfer > between client and server)
I would normally use SSL, as all basic authentication should, but the client-side alternative is a good suggestion.
-- Roland Hall /* This information is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. */ Technet Script Center - http://www.microsoft.com/technet/scriptcenter/ WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp MSDN Library - http://msdn.microsoft.com/library/default.asp
-- Microsoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
PJones wrote: gee, guess ya don't know everything bob
Where did I use the word "know"? Let's see ... yes, the word I used is
"unlikely".
what did you do?, take over Aaron's job as newsgroup Ogar
And why is offering a helpful suggestion to you making me an "Ogar"? I would
be grateful if somebody pointed out to me that I was wasting my time
replying to a poster who might no longer be around. In fact, I did receive a
"thank you" once for this same sort of situation. A newcomer to the group
was replying to month-old questions. When I asked him about it, he stopped,
and a few days later, posted a thank you message saying that problems with
his ISP was causing delays in his receiving newsgroup posts. If I hadn't
said anything, he would never have contacted his ISP to fix the problem.
Bob Barrows
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
I got an idea, help people who need it and stop trying to the police the
newgroups.
It is futile, just like the 1000 times I have seen you bitch people out
because they were not doing something the way you would. Nobody came here
for a lecture. As a matter of fact it causes a lot of people to never come
back and gives them a real bad impression of the newgroups.
Maybe it is not meant to come across that way, but it sure does the way you
guys act.
Take a chill pill... if newgroups were meant to be perfect there would be
things in place to keep the things some of you do not like from happening.
Like Top Posting that Evertjan is always bitching about like a little girl.
Who the F!@# cares...
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:%2***************@TK2MSFTNGP15.phx.gbl... PJones wrote: gee, guess ya don't know everything bob Where did I use the word "know"? Let's see ... yes, the word I used is "unlikely".
what did you do?, take over Aaron's job as newsgroup Ogar
And why is offering a helpful suggestion to you making me an "Ogar"? I would be grateful if somebody pointed out to me that I was wasting my time replying to a poster who might no longer be around. In fact, I did receive a "thank you" once for this same sort of situation. A newcomer to the group was replying to month-old questions. When I asked him about it, he stopped, and a few days later, posted a thank you message saying that problems with his ISP was causing delays in his receiving newsgroup posts. If I hadn't said anything, he would never have contacted his ISP to fix the problem.
Bob Barrows -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup.
PJones wrote: I got an idea, help people who need it and stop trying to the police the newgroups.
Well, given that you just completely ignored what I had to say, I guess you
have a bug up your ass and there's no point in carrying on this conversation
any further.
plonk
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:#N*************@TK2MSFTNGP15.phx.gbl... PJones wrote: gee, guess ya don't know everything bob Where did I use the word "know"? Let's see ... yes, the word I used is "unlikely".
what did you do?, take over Aaron's job as newsgroup Ogar
And why is offering a helpful suggestion to you making me an "Ogar"?
[snip]
Perhaps he meant to call you an "ogre" as "Ogar" is not a word.
(And you don't deserve that label as you are a great resource.) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: John Victor |
last post by:
In my mysql database, I've stored all the passwords using the PASSWORD()
function. Now I'm running a test and need to compare the password in my php
document to that saved in the database. I used...
|
by: arktikturtle |
last post by:
Hi! I'm looking for a way to validate a password within PL/SQL. I want to
write
CREATE PROCEDURE change_password(old_password IN VARCHAR2)
IS
BEGIN
-- check if old_password is correct... but...
|
by: Jill Elaine |
last post by:
I am building an Access 2002 frontend with linked tables to an
encrypted Paradox 7 database. When I first create these linked tables,
I'm asked for the password to the encrypted Paradox database,...
|
by: Fabrizio |
last post by:
(Sorry for the crosspost, but I really don't know which is the right
newsgroup!)
Hi all,
I try to change the password to a user that as to change the password at
first logon:
try
{
|
by: Andre Ranieri |
last post by:
I'm trying to create a login page for customers to log into our corporate
website, our presidents naturally wants the user and password fields to
populate from a cookie so the customer doesn't have...
|
by: Gabor |
last post by:
Hi,
I have an app. that uses an MSDE database. I hardcoded the login and
password in the application, but it is very simple to see with an ILDASM.exe
tool.
Is it any procedure to obscure the...
|
by: Skeleton Man |
last post by:
Hi,
I came across the basic algorithmfor decrypting WS_FTP Pro 6 passwords as
follows, and I'm trying to reverse it to make an encryption function:
function ws_dec()
{
var str =...
|
by: polychrom |
last post by:
Is there some handy Javascript encryptor based on XOR algorithm? (html
page with encoded javascript will have a "decoder stub" prefixed before
the code that is actually executed.)
|
by: _mario.lat |
last post by:
hallo,
I use PHP and I'd like to not write in hardcoded way password
and login to access to mysql.
how to not write password in code for access to mysql?
How can I do?
I'd like that who see my...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |