By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,492 Members | 3,174 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,492 IT Pros & Developers. It's quick & easy.

Password Encryptor/Decryptor for ASP 3.0?

P: n/a
M P
Hi!

Im planning to encrypt the password that was stored on msaccess database and
also the text inputed from a password textbox. Also, if I want to get the
password from the database, I need to decrypt it so it can be comparable to
the one that is inputed on the textbox. Is there a way on how to handle
this?

MP
Oct 14 '05 #1
Share this Question
Share on Google+
15 Replies


P: n/a
M P wrote on 14 okt 2005 in microsoft.public.inetserver.asp.general:
Also, if I want to get the
password from the database, I need to decrypt it


Not the only way.
You also could,
if the encription proces is unique [=gives always the same result],
compare both encripted forms.

--
Evertjan.
The Netherlands.
(Replace all crosses with dots in my emailaddress)

Oct 14 '05 #2

P: n/a
M P wrote:
Hi!

Im planning to encrypt the password that was stored on msaccess database and
also the text inputed from a password textbox. Also, if I want to get the
password from the database, I need to decrypt it so it can be comparable to
the one that is inputed on the textbox. Is there a way on how to handle
this?

MP


Hi M P,

To store passwords, the one-way or "hash" algorhythms will be the most
useful to use:
As the name says, this is a one-way procedure, for example:

Password: mysecretpass
Hash (example): 28F9E2A118B3 <== Store this in DB

User inputs: mysecretpass
Calculate Hash: 28F9E2A118B3
Compare this to value stored in DB.
There are several different hash algorhythms around, the most commonly
used is called MD5:
http://www.aspfaq.com/show.asp?id=2397

The first example on this page is a implementation in JavaScript, this
ensures that the password is encrypted on the client computer and
submitted in the encrypted form.
HTH
Gottfried
Oct 14 '05 #3

P: n/a
M P
Hi!

Thanks for the reply. My question is how do I handle this MD5 algorithm? For
example, I have a login page, how do I use the javascript?

regards,
Me

"Gottfried Mayer" <ng*@NOOfusedSPAAAM.ch> wrote in message
news:e9**************@TK2MSFTNGP09.phx.gbl...
M P wrote:
Hi!

Im planning to encrypt the password that was stored on msaccess database
and
also the text inputed from a password textbox. Also, if I want to get the
password from the database, I need to decrypt it so it can be comparable
to
the one that is inputed on the textbox. Is there a way on how to handle
this?

MP


Hi M P,

To store passwords, the one-way or "hash" algorhythms will be the most
useful to use:
As the name says, this is a one-way procedure, for example:

Password: mysecretpass
Hash (example): 28F9E2A118B3 <== Store this in DB

User inputs: mysecretpass
Calculate Hash: 28F9E2A118B3
Compare this to value stored in DB.
There are several different hash algorhythms around, the most commonly
used is called MD5:
http://www.aspfaq.com/show.asp?id=2397

The first example on this page is a implementation in JavaScript, this
ensures that the password is encrypted on the client computer and
submitted in the encrypted form.
HTH
Gottfried

Oct 19 '05 #4

P: n/a
"M P" wrote in message news:%2***************@tk2msftngp13.phx.gbl...
: Thanks for the reply. My question is how do I handle this MD5 algorithm?
For
: example, I have a login page, how do I use the javascript?

Please respond after responses, not before them.

You don't use javascript to do this. You do it on the server-side. If you
need a MD5 function already written to work in ASP, then go here:
http://www.frez.co.uk/freecode.htm#md5

The function is md5. I call it with:
eStr = md5(str)

I put it in it's own file and I include it into any page I need. A starter
example...

<%@ Langauge = "VBScript" %>
<%
Option Explicit
Response.Buffer = True
%>
<!--#include virtual="/asp/nocache.asp"-->
<!--#include virtual="/asp/md5.asp"-->
<%
dim username, password, ePassword, method
method = Request.ServerVariables("REQUEST_METHOD")
if method = "POST" then ' form has been posted
username = Server.HTMLEncode(Replace(Request.Form("username") ,"'","''"))
password = Server.HTMLEncode(Replace(Request.Form("password") ,"'","''"))
' form validation
' get password from database if username exists
ePassword = md5(password)
if ePassword = cPassword then
' write to log
' validate logon
session("user") = username
' redirect to welcome
else
' report error to user
' write to log
' redirect to logon
end if
end if
%>
<!-- display logon form -->

My nocache.asp page:

<%
with Response
.Expires = -1
.ExpiresAbsolute = Now() - 1
.AddHeader "pragma", "no-cache"
.AddHeader "cache-control", "private"
.CacheControl = "no-cache"
end with
%>

HTH...

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp
Oct 19 '05 #5

P: n/a
Roland Hall wrote:
"M P" wrote in message news:%2***************@tk2msftngp13.phx.gbl...
: Thanks for the reply. My question is how do I handle this MD5 algorithm?
For
: example, I have a login page, how do I use the javascript?

Please respond after responses, not before them.

You don't use javascript to do this. You do it on the server-side. If you
need a MD5 function already written to work in ASP, then go here:
http://www.frez.co.uk/freecode.htm#md5

The function is md5. I call it with:
eStr = md5(str)

I put it in it's own file and I include it into any page I need. A starter
example...

<%@ Langauge = "VBScript" %>
<%
Option Explicit
Response.Buffer = True
%>
<!--#include virtual="/asp/nocache.asp"-->
<!--#include virtual="/asp/md5.asp"-->
<%
dim username, password, ePassword, method
method = Request.ServerVariables("REQUEST_METHOD")
if method = "POST" then ' form has been posted
username = Server.HTMLEncode(Replace(Request.Form("username") ,"'","''"))
password = Server.HTMLEncode(Replace(Request.Form("password") ,"'","''"))
' form validation
' get password from database if username exists
ePassword = md5(password)
if ePassword = cPassword then
' write to log
' validate logon
session("user") = username
' redirect to welcome
else
' report error to user
' write to log
' redirect to logon
end if
end if
%>
<!-- display logon form -->

My nocache.asp page:

<%
with Response
.Expires = -1
.ExpiresAbsolute = Now() - 1
.AddHeader "pragma", "no-cache"
.AddHeader "cache-control", "private"
.CacheControl = "no-cache"
end with
%>

HTH...


Although it seems easier to put this all in one place, you might want to
consider this:

If you do the encryption all server-side, every client will send his/her
password as plain-text over the internet.

In my opinion (and for security reasons), I would use a client-side
(JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the
internet. (or use SSL to encrypt the whole data transfer between client
and server)
just my 2 cents
Gottfried
Oct 19 '05 #6

P: n/a
M P wrote:
Hi!

Thanks for the reply. My question is how do I handle this MD5 algorithm? For
example, I have a login page, how do I use the javascript?

regards,
Me

"Gottfried Mayer" <ng*@NOOfusedSPAAAM.ch> wrote in message
news:e9**************@TK2MSFTNGP09.phx.gbl...
M P wrote:
Hi!

Im planning to encrypt the password that was stored on msaccess database
and
also the text inputed from a password textbox. Also, if I want to get the
password from the database, I need to decrypt it so it can be comparable
to
the one that is inputed on the textbox. Is there a way on how to handle
this?

MP


Hi M P,

To store passwords, the one-way or "hash" algorhythms will be the most
useful to use:
As the name says, this is a one-way procedure, for example:

Password: mysecretpass
Hash (example): 28F9E2A118B3 <== Store this in DB

User inputs: mysecretpass
Calculate Hash: 28F9E2A118B3
Compare this to value stored in DB.
There are several different hash algorhythms around, the most commonly
used is called MD5:
http://www.aspfaq.com/show.asp?id=2397

The first example on this page is a implementation in JavaScript, this
ensures that the password is encrypted on the client computer and
submitted in the encrypted form.
HTH
Gottfried



Hi M P,

You can read about the JavaScript implementation on this page:
http://pajhome.org.uk/crypt/md5/auth.html
(it even has a very interesting challange-response example to enhance
security further)
But basically, it works like this:

download md5.js, put it in your web dir.

load the JavaScript into the Login page:
<script src="md5.js" type="text/javascript"></script>

insert the md5 calculation in the onSubmit trigger of your login form:

example login form:
<form onSubmit="pw.value = hex_md5(pw.value);" name="loginform"
action="login.asp" method="post">
User: <input type="text" name="un"><br>
Pass: <input type="password" name="pw"><br>
<input type="submit" name="submit" value="submit">
</form>
On Server-Side, you check the Request("pw") against the value stored in
the database (don't forget to clean up the request string first to
prevent SQL injection ==> google).
This way, only the client knows the plain-text password, every further
step is encrypted.

HTH
Gottfried
Oct 19 '05 #7

P: n/a
"Gottfried Mayer" <ng*@NOOfusedSPAAAM.ch> wrote in message
news:OK*************@TK2MSFTNGP10.phx.gbl...
:
: Although it seems easier to put this all in one place, you might want to
: consider this:
:
: If you do the encryption all server-side, every client will send his/her
: password as plain-text over the internet.
:
: In my opinion (and for security reasons), I would use a client-side
: (JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the
: internet. (or use SSL to encrypt the whole data transfer between client
: and server)

I would normally use SSL, as all basic authentication should, but the
client-side alternative is a good suggestion.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp
Oct 22 '05 #8

P: n/a
check out www.aspprotect.com
or search www.aspin.com
"Roland Hall" <nobody@nowhere> wrote in message
news:uB**************@TK2MSFTNGP15.phx.gbl...
"Gottfried Mayer" <ng*@NOOfusedSPAAAM.ch> wrote in message
news:OK*************@TK2MSFTNGP10.phx.gbl...
:
: Although it seems easier to put this all in one place, you might want to
: consider this:
:
: If you do the encryption all server-side, every client will send his/her
: password as plain-text over the internet.
:
: In my opinion (and for security reasons), I would use a client-side
: (JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the
: internet. (or use SSL to encrypt the whole data transfer between client
: and server)

I would normally use SSL, as all basic authentication should, but the
client-side alternative is a good suggestion.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation -
http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

Nov 27 '05 #9

P: n/a
Why are you responding to month-old questions? The original poster is
unlikely to be paying attention to this thread anymore.

Bob Barrows

PJones wrote:
check out www.aspprotect.com
or search www.aspin.com
"Roland Hall" <nobody@nowhere> wrote in message
news:uB**************@TK2MSFTNGP15.phx.gbl...
"Gottfried Mayer" <ng*@NOOfusedSPAAAM.ch> wrote in message
news:OK*************@TK2MSFTNGP10.phx.gbl...

Although it seems easier to put this all in one place, you might
want to consider this:

If you do the encryption all server-side, every client will send
his/her password as plain-text over the internet.

In my opinion (and for security reasons), I would use a client-side
(JavaScript) MD5 Hash to encrypt the password BEFORE sending it
over the internet. (or use SSL to encrypt the whole data transfer
between client and server)


I would normally use SSL, as all basic authentication should, but the
client-side alternative is a good suggestion.

--
Roland Hall
/* This information is distributed in the hope that it will be
useful, but without any warranty; without even the implied warranty
of merchantability or fitness for a particular purpose. */
Technet Script Center -
http://www.microsoft.com/technet/scriptcenter/ WSH 5.6 Documentation
- http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp


--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Nov 27 '05 #10

P: n/a
M P
its ok bob. I am still monitoring the thread. Thanks PJones!

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl...
Why are you responding to month-old questions? The original poster is
unlikely to be paying attention to this thread anymore.

Bob Barrows

PJones wrote:
check out www.aspprotect.com
or search www.aspin.com
"Roland Hall" <nobody@nowhere> wrote in message
news:uB**************@TK2MSFTNGP15.phx.gbl...
"Gottfried Mayer" <ng*@NOOfusedSPAAAM.ch> wrote in message
news:OK*************@TK2MSFTNGP10.phx.gbl...

Although it seems easier to put this all in one place, you might
want to consider this:

If you do the encryption all server-side, every client will send
his/her password as plain-text over the internet.

In my opinion (and for security reasons), I would use a client-side
(JavaScript) MD5 Hash to encrypt the password BEFORE sending it
over the internet. (or use SSL to encrypt the whole data transfer
between client and server)

I would normally use SSL, as all basic authentication should, but the
client-side alternative is a good suggestion.

--
Roland Hall
/* This information is distributed in the hope that it will be
useful, but without any warranty; without even the implied warranty
of merchantability or fitness for a particular purpose. */
Technet Script Center -
http://www.microsoft.com/technet/scriptcenter/ WSH 5.6 Documentation
- http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp


--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Nov 30 '05 #11

P: n/a
gee, guess ya don't know everything bob

what did you do?, take over Aaron's job as newsgroup Ogar

"M P" <ma**@textguru.ph> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
its ok bob. I am still monitoring the thread. Thanks PJones!

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl...
Why are you responding to month-old questions? The original poster is
unlikely to be paying attention to this thread anymore.

Bob Barrows

PJones wrote:
check out www.aspprotect.com
or search www.aspin.com
"Roland Hall" <nobody@nowhere> wrote in message
news:uB**************@TK2MSFTNGP15.phx.gbl...
"Gottfried Mayer" <ng*@NOOfusedSPAAAM.ch> wrote in message
news:OK*************@TK2MSFTNGP10.phx.gbl...
>
> Although it seems easier to put this all in one place, you might
> want to consider this:
>
> If you do the encryption all server-side, every client will send
> his/her password as plain-text over the internet.
>
> In my opinion (and for security reasons), I would use a client-side
> (JavaScript) MD5 Hash to encrypt the password BEFORE sending it
> over the internet. (or use SSL to encrypt the whole data transfer
> between client and server)

I would normally use SSL, as all basic authentication should, but the
client-side alternative is a good suggestion.

--
Roland Hall
/* This information is distributed in the hope that it will be
useful, but without any warranty; without even the implied warranty
of merchantability or fitness for a particular purpose. */
Technet Script Center -
http://www.microsoft.com/technet/scriptcenter/ WSH 5.6 Documentation
- http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp


--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


Dec 1 '05 #12

P: n/a
PJones wrote:
gee, guess ya don't know everything bob
Where did I use the word "know"? Let's see ... yes, the word I used is
"unlikely".
what did you do?, take over Aaron's job as newsgroup Ogar


And why is offering a helpful suggestion to you making me an "Ogar"? I would
be grateful if somebody pointed out to me that I was wasting my time
replying to a poster who might no longer be around. In fact, I did receive a
"thank you" once for this same sort of situation. A newcomer to the group
was replying to month-old questions. When I asked him about it, he stopped,
and a few days later, posted a thank you message saying that problems with
his ISP was causing delays in his receiving newsgroup posts. If I hadn't
said anything, he would never have contacted his ISP to fix the problem.

Bob Barrows
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Dec 1 '05 #13

P: n/a
I got an idea, help people who need it and stop trying to the police the
newgroups.

It is futile, just like the 1000 times I have seen you bitch people out
because they were not doing something the way you would. Nobody came here
for a lecture. As a matter of fact it causes a lot of people to never come
back and gives them a real bad impression of the newgroups.

Maybe it is not meant to come across that way, but it sure does the way you
guys act.

Take a chill pill... if newgroups were meant to be perfect there would be
things in place to keep the things some of you do not like from happening.
Like Top Posting that Evertjan is always bitching about like a little girl.

Who the F!@# cares...


"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:%2***************@TK2MSFTNGP15.phx.gbl...
PJones wrote:
gee, guess ya don't know everything bob

Where did I use the word "know"? Let's see ... yes, the word I used is
"unlikely".
what did you do?, take over Aaron's job as newsgroup Ogar


And why is offering a helpful suggestion to you making me an "Ogar"? I
would
be grateful if somebody pointed out to me that I was wasting my time
replying to a poster who might no longer be around. In fact, I did receive
a
"thank you" once for this same sort of situation. A newcomer to the group
was replying to month-old questions. When I asked him about it, he
stopped,
and a few days later, posted a thank you message saying that problems with
his ISP was causing delays in his receiving newsgroup posts. If I hadn't
said anything, he would never have contacted his ISP to fix the problem.

Bob Barrows
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Dec 1 '05 #14

P: n/a
PJones wrote:
I got an idea, help people who need it and stop trying to the police
the newgroups.


Well, given that you just completely ignored what I had to say, I guess you
have a bug up your ass and there's no point in carrying on this conversation
any further.

plonk
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Dec 2 '05 #15

P: n/a
"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:#N*************@TK2MSFTNGP15.phx.gbl...
PJones wrote:
gee, guess ya don't know everything bob

Where did I use the word "know"? Let's see ... yes, the word I used is
"unlikely".
what did you do?, take over Aaron's job as newsgroup Ogar


And why is offering a helpful suggestion to you making me an "Ogar"?


[snip]

Perhaps he meant to call you an "ogre" as "Ogar" is not a word.

(And you don't deserve that label as you are a great resource.)
Dec 2 '05 #16

This discussion thread is closed

Replies have been disabled for this discussion.