protecting password

solomon_13000 wrote on 14 jun 2006 in
microsoft.public.inetserver.asp.general:

I am using ms access database and asp 3.0 as my front end. In my
database there is a table called account and a field called password.
How do I protect the password stored in the database.

By not showing it on your website?

Protect against whom, btw?

I suspect every record in your table has a field called "password".

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Protect from hackers who could probably intercept the password as it
travels from a secure to unsecure to secure network.

solomon_13000 wrote:

I am using ms access database and asp 3.0 as my front end. In my
database there is a table called account and a field called password.
How do I protect the password stored in the database.

"solomon_13000" wrote ...

Protect from hackers who could probably intercept the password as it
travels from a secure to unsecure to secure network.

client-side hash of the password before sending it....
SSL whilst in transit
store a hashed password instead of plain text...

Just a few thoughts..

Regards

Rob

On Wed, 14 Jun 2006 08:11:55 -0500, solomon_13000
<so***********@yahoo.com> wrote:

How do I protect the password stored in the database.

The best way would be to store a hash of the password, rather than the
password itself. Microsoft has a redistributable API[1] that you can use
to generate the hash. Below I have included a function that demonstrates
the use of this API in VBScript.

' Function: Hash
' Generate a hash of a string value using the SHA1 algorithm.
'
' Arguments:
' value - The text to process
'
' Returns:
' A string containing the hexadecimal representation of the
' hash value.
Function Hash(value)
Dim data: Set data = CreateObject("CAPICOM.HashedData")
data.Algorithm = 0 ' CAPICOM_HASH_ALGORITHM_SHA1
data.Hash value
Hash = data.Value
End Function

When the visitor creates his account, you would use a function such as
this to generate a hash of the password he provided, and store that in the
database. Later, when the user logs in to your site, you would again
generate a hash of the password he provides and compare it to the one you
stored previously.

Keep in mind that, regardless of the length of the password, the hash will
be 40 characters long. Your database schema will need to reflect this.

[1] Platform SDK Redistributable: CAPICOM
http://www.microsoft.com/downloads/d...DisplayLang=en

--
Justin Piper
Bizco Technologies
http://www.bizco.com/

Why are you passing a visible password from a secure to an unsecured
network?

Bob Lehmann

"solomon_13000" <so***********@yahoo.com> wrote in message
news:11**********************@c74g2000cwc.googlegr oups.com...

Protect from hackers who could probably intercept the password as it
travels from a secure to unsecure to secure network.

solomon_13000 wrote:

I am using ms access database and asp 3.0 as my front end. In my
database there is a table called account and a field called password.
How do I protect the password stored in the database.

Because its an internet based application.

solomon_13000 wrote:

I am using ms access database and asp 3.0 as my front end. In my
database there is a table called account and a field called password.
How do I protect the password stored in the database.

solomon_13000 wrote on 15 jun 2006 in
microsoft.public.inetserver.asp.general:

solomon_13000 wrote:

I am using ms access database and asp 3.0 as my front end. In my
database there is a table called account and a field called password.
How do I protect the password stored in the database.

[please do not toppost on usenet]
Because its an internet based application.

You seem to be answering yourself an unasked question?

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

I was asked:

Why are you passing a visible password from a secure to an unsecured
network?

My answer: Because its an internet based application

secure: hosting company server (I dont own the company)
unsecured: internet (free space)
end user: anyone including me

So if I have a login page, I supply my password and username, press the
submit button, the information will travel from the end user to the
hosting company server via an unsecured network, validated and the
results will be returned (true/false). Now anyone could possibly
intercept the password and username and do alot of damange if its not
secured.

solomon_13000 wrote:

I am using ms access database and asp 3.0 as my front end. In my
database there is a table called account and a field called password.
How do I protect the password stored in the database.

solomon_13000 wrote on 15 jun 2006 in
microsoft.public.inetserver.asp.general:

solomon_13000 wrote:

I am using ms access database and asp 3.0 as my front end. In my
database there is a table called account and a field called password.
How do I protect the password stored in the database.

I was asked:

Why are you passing a visible password from a secure to an unsecured
network?

My answer: Because its an internet based application

secure: hosting company server (I dont own the company)
a network?
unsecured: internet (free space)
end user: anyone including me

So if I have a login page, I supply my password and username, press the
submit button, the information will travel from the end user to the
hosting company server via an unsecured network, validated and the
results will be returned (true/false). Now anyone could possibly
intercept the password and username and do alot of damange if its not
secured.

Secure HyperText Transfer Protocol.
<http://en.wikipedia.org/wiki/Secure_hypertext_transfer_protocol>

Or use one-time passwords.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

"Justin Piper" <jp****@bizco.com> wrote in message
news:op***************@luxembourg.psg.bizcotech.co m...

On Wed, 14 Jun 2006 08:11:55 -0500, solomon_13000
<so***********@yahoo.com> wrote:

How do I protect the password stored in the database.
The best way would be to store a hash of the password, rather than the
password itself. Microsoft has a redistributable API[1] that you can use
to generate the hash. Below I have included a function that demonstrates
the use of this API in VBScript.

' Function: Hash
' Generate a hash of a string value using the SHA1 algorithm.
'
' Arguments:
' value - The text to process
'
' Returns:
' A string containing the hexadecimal representation of the
' hash value.
Function Hash(value)
Dim data: Set data = CreateObject("CAPICOM.HashedData")
data.Algorithm = 0 ' CAPICOM_HASH_ALGORITHM_SHA1
data.Hash value
Hash = data.Value
End Function

When the visitor creates his account, you would use a function such as
this to generate a hash of the password he provided, and store that in the
database. Later, when the user logs in to your site, you would again
generate a hash of the password he provides and compare it to the one you
stored previously.

Keep in mind that, regardless of the length of the password, the hash will
be 40 characters long. Your database schema will need to reflect this.

[1] Platform SDK Redistributable: CAPICOM

http://www.microsoft.com/downloads/d...DisplayLang=en
--
Justin Piper
Bizco Technologies
http://www.bizco.com/

There are a couple of problems with this approach.

First it requires a component to be installed on the client which the client
may not want to do.

Secondly just hashing the password on it's own doesn't really help, the
attacker only needs to re-use the hash to gain access.

To overcome the first limitation I've found the JS on the site to be
effective:-

http://pajhome.org.uk/crypt/md5/

Server side I still use binary APIs.

To overcome the second limitiation a challange/response approach needs to be
developed.

For example the code in the login page could contain a Nonce value (a value
which is unique and is only ever used this one time). The password and the
Nonce (I usually add the user name as well) are combined into a single
string from which the hash is derived.
The Nonce, Hash and username are sent to the server. The server looks up
the users password combines it with the Nonce and user name and should
generate a matching Hash.

Of course this requires the database contain the user password as plain
text. If this is a problem then a hash could be held and have the client
hash the password before using it in combination with the Nonce and hashing
a second time.

For a stronger solution the Nonce should have a short life time where it
expires whether it has been used or not. This can be implemented using
XMLHTTPRequest to fetch a nonce just prior to posting the login form.

Anthony.

On Sun, 18 Jun 2006 10:12:45 -0500, Anthony Jones <An*@yadayadayada.com>
wrote:

"Justin Piper" <jp****@bizco.com> wrote in message
news:op***************@luxembourg.psg.bizcotech.co m...

On Wed, 14 Jun 2006 08:11:55 -0500, solomon_13000
<so***********@yahoo.com> wrote:

> How do I protect the password stored in the database.

The best way would be to store a hash of the password, rather than the
password itself. Microsoft has a redistributable API[1] that you can use
to generate the hash. Below I have included a function that demonstrates
the use of this API in VBScript.

' Function: Hash
' Generate a hash of a string value using the SHA1 algorithm.
'
' Arguments:
' value - The text to process
'
' Returns:
' A string containing the hexadecimal representation of the
' hash value.
Function Hash(value)
Dim data: Set data = CreateObject("CAPICOM.HashedData")
data.Algorithm = 0 ' CAPICOM_HASH_ALGORITHM_SHA1
data.Hash value
Hash = data.Value
End Function

There are a couple of problems with this approach.

First it requires a component to be installed on the client which the
client
may not want to do.

Actually, I ment that this be used server-side, to protect the password in
the database from prying eyes. You're right that it would not be useful
client side, but SSL would be more appropriate for that, anyway.

--
Justin Piper
Bizco Technologies
http://www.bizco.com/

"Justin Piper" <jp****@bizco.com> wrote in message
news:op***************@luxembourg.psg.bizcotech.co m...

On Sun, 18 Jun 2006 10:12:45 -0500, Anthony Jones <An*@yadayadayada.com>
wrote:

"Justin Piper" <jp****@bizco.com> wrote in message
news:op***************@luxembourg.psg.bizcotech.co m...

On Wed, 14 Jun 2006 08:11:55 -0500, solomon_13000
<so***********@yahoo.com> wrote:

> How do I protect the password stored in the database.

The best way would be to store a hash of the password, rather than the
password itself. Microsoft has a redistributable API[1] that you can use to generate the hash. Below I have included a function that demonstrates the use of this API in VBScript.

' Function: Hash
' Generate a hash of a string value using the SHA1 algorithm.
'
' Arguments:
' value - The text to process
'
' Returns:
' A string containing the hexadecimal representation of the
' hash value.
Function Hash(value)
Dim data: Set data = CreateObject("CAPICOM.HashedData")
data.Algorithm = 0 ' CAPICOM_HASH_ALGORITHM_SHA1
data.Hash value
Hash = data.Value
End Function
There are a couple of problems with this approach.

First it requires a component to be installed on the client which the
client
may not want to do.

Actually, I ment that this be used server-side, to protect the password in
the database from prying eyes. You're right that it would not be useful
client side, but SSL would be more appropriate for that, anyway.

Thanks Justin I misunderstood you.

SSL would seem to be a better way but then you need to get a trusted
certificate (for which there may be a cost) and I've not found a way to
seemlessly transition from https to a http.

Without a trusted certificate the users are likely to get warnings that may
put them off.

A response.redirect from https to http also typically puts up a worrying
warning to the user. I've tried meta refresh but it will ignore the http
URL in the content attribute.

Any ideas, just curious?

--
Justin Piper
Bizco Technologies
http://www.bizco.com/

On Mon, 19 Jun 2006 12:18:14 -0500, Anthony Jones <An*@yadayadayada.com>
wrote:

SSL would seem to be a better way but then you need to get a trusted
certificate (for which there may be a cost) and I've not found a way to
seemlessly transition from https to a http.

Without a trusted certificate the users are likely to get warnings that
may
put them off.
True, and for good reason. A certificate that has not been signed by a
trusted authority would still be usable for encrypting the transmission,
but would be vulnerable to man-in-the-middle attacks.
A response.redirect from https to http also typically puts up a worrying
warning to the user. I've tried meta refresh but it will ignore the http
URL in the content attribute.

I'm not aware of any way around that, and it seems to be SOP on the web,
anyway. I don't expect people to get very far without running into that
warning message. You could always just stick with SSL once you use it, but
then your visitors on dialup will hate you for rendering all the images
uncachable. :)

--
Justin Piper
Bizco Technologies
http://www.bizco.com/

"Justin Piper" <jp****@bizco.com> wrote in message
news:op***************@luxembourg.psg.bizcotech.co m...

On Mon, 19 Jun 2006 12:18:14 -0500, Anthony Jones <An*@yadayadayada.com>
wrote:

SSL would seem to be a better way but then you need to get a trusted
certificate (for which there may be a cost) and I've not found a way to
seemlessly transition from https to a http.

Without a trusted certificate the users are likely to get warnings that
may
put them off.
True, and for good reason. A certificate that has not been signed by a
trusted authority would still be usable for encrypting the transmission,
but would be vulnerable to man-in-the-middle attacks.

A response.redirect from https to http also typically puts up a worrying
warning to the user. I've tried meta refresh but it will ignore the http URL in the content attribute.

I'm not aware of any way around that, and it seems to be SOP on the web,
anyway. I don't expect people to get very far without running into that
warning message. You could always just stick with SSL once you use it, but
then your visitors on dialup will hate you for rendering all the images
uncachable. :)

Not to mention the extra load on your server. Therefore I don't really
consider SSL a good solution for login bearing in mind a fairly strong
challange/response login can be created without it. SSL really becomes
useful when you need to send something to a server that it hasn't seen
before and/or shouldn't store e.g., Credit card details or the initial
username/password creation.

--
Justin Piper
Bizco Technologies
http://www.bizco.com/

Anthony Jones wrote:

Not to mention the extra load on your server. Therefore I don't
really consider SSL a good solution for login bearing in mind a
fairly strong challange/response login can be created without it.

You honestly think you can build a strong login without it? And without
taxing your server more than SSL does, at that? I am dying to hear more.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.

"Dave Anderson" <NY**********@spammotel.com> wrote in message
news:12*************@corp.supernews.com...

Anthony Jones wrote:

Not to mention the extra load on your server. Therefore I don't
really consider SSL a good solution for login bearing in mind a
fairly strong challange/response login can be created without it.
You honestly think you can build a strong login without it?

If Challange/Response MD5 or SHA1 is not strong enough for you then no
otherwise yes. After all if you really need it be very strong it's likely
you'd want all the content protected by SSL.
And without taxing your server more than SSL does, at that?
My point was I've not at this time been able to create smooth transition for
the a SSL protected Logon page to general unprotected content. Hence either
I scare the user with nasty 'You might be posting data in a unsecure way'
sort of message or I run the whole site in SSL which would definitely demand
more of the server than is necessary.

However, I'd be interested in techniques that allowed SSL to be used for
login only but did not involved scary message being given to the user. Any
ideas?
I am dying to hear more.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use of this email address implies consent to these terms.

On Mon, 19 Jun 2006 12:18:14 -0500, Anthony Jones <An*@yadayadayada.com>
wrote:

SSL would seem to be a better way but then you need to get a trusted
certificate (for which there may be a cost) and I've not found a way to
seemlessly transition from https to a http.

Without a trusted certificate the users are likely to get warnings that
may
put them off.

A response.redirect from https to http also typically puts up a worrying
warning to the user. I've tried meta refresh but it will ignore the http
URL in the content attribute.

What version of IE are you seeing this behavior in? I have 6.0.3790.1830
(W2k3 SP1), and it seems to handle meta refresh correctly. I've included
the script I used to test below. Change the ``Script`` constant to
something appropriate.

<% Option Explicit

Const Script = "localhost/login.asp"

Dim action, secure
action = Request.Form("action")
secure = Request.ServerVariables("HTTPS")
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Default</title>
<% If action="login" Then %>
<meta http-equiv="refresh"
content="0;url=http://<%= Script %>">
<% End If %>
</head>
<body>
<div>Secure: <%= secure %></div>
<div>Action: <%= action %></div>
<form method="post" action="https://<%= Script %>">
<input type="submit" name="action" value="login">
</form>
</body>
</html>

--
Justin Piper
Bizco Technologies
http://www.bizco.com/

Hi guys,

the scripts seems to be ok with me.. it needs a little tidy up.. i guess.. well.. my suggestions will be as below;

1.) protect the .mdb file with a password
2.) set the session.timeout value - incase of idle session
3.) encrypt user password


below is the my script.. check it out..
'//--- inc_connection ---
<%
DIM ObjCon
Set ObjCon = Server.CreateObject("ADODB.Connection")
ObjCon.Open ("Provider=Microsoft.Jet.OLEDB.4.0;Persist Security Info=False;Jet OLEDBatabase Password=xyz;Data Source=" & Server.MapPath("../db/eduguide.mdb"))
%>

'//--- inc_authenticate.asp ---
<%@ LANGUAGE="VBSCRIPT" %>
<!--#INCLUDE FILE="inc_connection.asp" -->
<!--#INCLUDE FILE="inc_encryption.asp" -->
<%
Dim myAccountNo, Message, Action,ID,UID,PWD,ACL,EMAILID, nNewsID, nNewsSummary
myAccountNo = Session("myAccountNo")
Message = Session("Message")
Session("Message") = ""
Action = Session("Action")
ID = Session("ID")
UID = Session("UID")
PWD = Session("PWD")
ACL = Session("ACL")
EMAILID = Session("EMAILID")
%>
<%
dim URL_Link
dim myname, mypassword
dim cnpath, sSQL, TMPSQL
dim objRS, objUpdateRec
myname=request.form("txtUsername")
mypassword=request.form("txtPassword")
URL_Link = Request.ServerVariables("HTTP_REFERER")
if myname = "Username" or myname = "" then
Session("Message") = "Check username"
Response.Redirect URL_Link
elseif mypassword = "Password" or mypassword= "" then
Session("Message") = "Check password"
Response.Redirect URL_Link
end if
sSQL ="SELECT * FROM sSECURITYTBL WHERE USERNAME='"
sSQL = sSQL & myname & "'"
set objRS=objCon.execute(sSQL)
If objRS.EOF then
objRS.close
objCon.close
set objRS=nothing
set objCon=nothing
Session("Message") = "Invalid username"
'Response.Redirect URL_Link"?error=" & Server.URLEncode(Message)
Response.Redirect URL_Link
end if
If objRS("password")= pEncrypt(mypassword) then
'The default value is 10 minutes
Session.Timeout = 10
If Request.Form("chkRememberMe") = "True" Then
Response.Cookies("Username") = Request.Form("txtUsername")
Response.Cookies("Username").Expires = DateAdd("m", 1, Now())
Response.Cookies("Password") = Request.Form("txtPassword")
Response.Cookies("Password").Expires = DateAdd("m", 1, Now())
end if
If Request.Form("chkRememberMe") = "" Then
Response.Cookies("Username") = ""
Response.Cookies("Username").Expires = DateAdd("m", -3, Now())
Response.Cookies("Password") = ""
Response.Cookies("Password").Expires = DateAdd("m", -3, Now())
end if
'If they made it here, they logged in successfully,
'so set the value of the LoggedIn session variables
Session("LoggedIn") = "yes"
'Reroute users to appropriate page based on their access level
if objRS("accesslevel")="administrator" then
Session("isAdminLogin") = "yes"
Session("Action")= "main"
Session("ID") = objRS("ID")
Session("UID")=objRS("Username")
Session("PWD")=objRS("Password")
Session("ACL")=objRS("AccessLevel")
Session("EMAILID")=objRS("Email")
Response.redirect "../admin/default.asp"
elseif objRS("accesslevel")="educator" then
Session("Action")= "main"
Session("myAccountNo") = objRS("vAccount_No")
Session("ID") = objRS("ID")
Session("UID")=objRS("Username")
Session("PWD")=objRS("Password")
Session("ACL")=objRS("AccessLevel")
Session("EMAILID")=objRS("Email")
Response.redirect "../admin/educator/default.asp"
elseif objRS("accesslevel")="supplier" then
Session("Action")= "main"
Session("myAccountNo") = objRS("vAccount_No")
Session("ID") = objRS("ID")
Session("UID")=objRS("Username")
Session("PWD")=objRS("Password")
Session("ACL")=objRS("AccessLevel")
Session("EMAILID")=objRS("Email")
Response.redirect "../admin/supplier/default.asp"
end if
objRS.Close
objCon.Close
set objRS=nothing
set objCon=nothing
else
objRS.Close
objCon.Close
set objRS=nothing
set objCon=nothing
Session("Message") = "Invalid password"
'Response.Redirect URL_Link"?error=" & Server.URLEncode(Message)
Response.Redirect URL_Link
end if
%>

'//--- inc_logout ---
<%
Session.Abandon
Response.Redirect "../default.asp"
%>

"Justin Piper" <jp****@bizco.com> wrote in message
news:op***************@luxembourg.psg.bizcotech.co m...

On Mon, 19 Jun 2006 12:18:14 -0500, Anthony Jones <An*@yadayadayada.com>
wrote:

SSL would seem to be a better way but then you need to get a trusted
certificate (for which there may be a cost) and I've not found a way to
seemlessly transition from https to a http.

Without a trusted certificate the users are likely to get warnings that
may
put them off.

A response.redirect from https to http also typically puts up a worrying
warning to the user. I've tried meta refresh but it will ignore the http URL in the content attribute.
What version of IE are you seeing this behavior in? I have 6.0.3790.1830
(W2k3 SP1), and it seems to handle meta refresh correctly. I've included
the script I used to test below. Change the ``Script`` constant to
something appropriate.

<% Option Explicit

Const Script = "localhost/login.asp"

Dim action, secure
action = Request.Form("action")
secure = Request.ServerVariables("HTTPS")
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Default</title>
<% If action="login" Then %>
<meta http-equiv="refresh"
content="0;url=http://<%= Script %>">
<% End If %>
</head>
<body>
<div>Secure: <%= secure %></div>
<div>Action: <%= action %></div>
<form method="post" action="https://<%= Script %>">
<input type="submit" name="action" value="login">
</form>
</body>
</html>

I was missing the url= from the content attribute. It works fine now
thanks. It is certainly a better solution if you already have a trusted
certificate.
--
Justin Piper
Bizco Technologies
http://www.bizco.com/

Anthony Jones wrote:

You honestly think you can build a strong login without it?
If Challange/Response MD5 or SHA1 is not strong enough for
you then no otherwise yes.

But either of those implemented on the client is still vulnerable to
man-in-the-middle attacks, just as SSL without trust is. But you knew that.
...I'd be interested in techniques that allowed SSL to be used
for login only but did not involved scary message being given
to the user. Any ideas?

Login at amazon.com.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.

"Dave Anderson" <NY**********@spammotel.com> wrote in message
news:On**************@TK2MSFTNGP03.phx.gbl...

Anthony Jones wrote:

You honestly think you can build a strong login without it?
If Challange/Response MD5 or SHA1 is not strong enough for
you then no otherwise yes.

But either of those implemented on the client is still vulnerable to
man-in-the-middle attacks, just as SSL without trust is. But you knew

that.
Yes I did but even a logon created using trusted SSL is still vunerable to
man-in-the-middle attacks when the session in general operates over
unencrypted http. The attack is unable to actually reveal the password for
later use. The objective of this technique is simply to protect the
password. If the session needs protecting or the content then SSL is needed
for the whole session.

...I'd be interested in techniques that allowed SSL to be used
for login only but did not involved scary message being given
to the user. Any ideas?
Login at amazon.com.

Yes Justin has put me right on this already. With a trusted certificate for
a single machine I would prefer SSL too. Gets a little tricky on IIS to
support multiple SSL websites though and not all my clients want to the
hassle. Clients are nervous about the idea of the password itself floating
about on the internet unencrypted so what I've proposed suits them, their
not exactly MI5.


--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use of this email address implies consent to these terms.