Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Password Encryptor/Decryptor for ASP 3.0?

Reply
Thread Tools

Password Encryptor/Decryptor for ASP 3.0?

 
 
M P
Guest
Posts: n/a
 
      10-14-2005
Hi!

Im planning to encrypt the password that was stored on msaccess database and
also the text inputed from a password textbox. Also, if I want to get the
password from the database, I need to decrypt it so it can be comparable to
the one that is inputed on the textbox. Is there a way on how to handle
this?

MP


 
Reply With Quote
 
 
 
 
Evertjan.
Guest
Posts: n/a
 
      10-14-2005
M P wrote on 14 okt 2005 in microsoft.public.inetserver.asp.general:

> Also, if I want to get the
> password from the database, I need to decrypt it


Not the only way.
You also could,
if the encription proces is unique [=gives always the same result],
compare both encripted forms.

--
Evertjan.
The Netherlands.
(Replace all crosses with dots in my emailaddress)

 
Reply With Quote
 
 
 
 
Gottfried Mayer
Guest
Posts: n/a
 
      10-14-2005
M P wrote:
> Hi!
>
> Im planning to encrypt the password that was stored on msaccess database and
> also the text inputed from a password textbox. Also, if I want to get the
> password from the database, I need to decrypt it so it can be comparable to
> the one that is inputed on the textbox. Is there a way on how to handle
> this?
>
> MP
>
>


Hi M P,

To store passwords, the one-way or "hash" algorhythms will be the most
useful to use:
As the name says, this is a one-way procedure, for example:

Password: mysecretpass
Hash (example): 28F9E2A118B3 <== Store this in DB

User inputs: mysecretpass
Calculate Hash: 28F9E2A118B3
Compare this to value stored in DB.


There are several different hash algorhythms around, the most commonly
used is called MD5:
http://www.aspfaq.com/show.asp?id=2397

The first example on this page is a implementation in JavaScript, this
ensures that the password is encrypted on the client computer and
submitted in the encrypted form.


HTH
Gottfried
 
Reply With Quote
 
M P
Guest
Posts: n/a
 
      10-19-2005
Hi!

Thanks for the reply. My question is how do I handle this MD5 algorithm? For
example, I have a login page, how do I use the javascript?

regards,
Me

"Gottfried Mayer" <(E-Mail Removed)> wrote in message
news:e9m$(E-Mail Removed)...
>M P wrote:
>> Hi!
>>
>> Im planning to encrypt the password that was stored on msaccess database
>> and
>> also the text inputed from a password textbox. Also, if I want to get the
>> password from the database, I need to decrypt it so it can be comparable
>> to
>> the one that is inputed on the textbox. Is there a way on how to handle
>> this?
>>
>> MP
>>
>>

>
> Hi M P,
>
> To store passwords, the one-way or "hash" algorhythms will be the most
> useful to use:
> As the name says, this is a one-way procedure, for example:
>
> Password: mysecretpass
> Hash (example): 28F9E2A118B3 <== Store this in DB
>
> User inputs: mysecretpass
> Calculate Hash: 28F9E2A118B3
> Compare this to value stored in DB.
>
>
> There are several different hash algorhythms around, the most commonly
> used is called MD5:
> http://www.aspfaq.com/show.asp?id=2397
>
> The first example on this page is a implementation in JavaScript, this
> ensures that the password is encrypted on the client computer and
> submitted in the encrypted form.
>
>
> HTH
> Gottfried



 
Reply With Quote
 
Roland Hall
Guest
Posts: n/a
 
      10-19-2005
"M P" wrote in message news:%(E-Mail Removed)...
: Thanks for the reply. My question is how do I handle this MD5 algorithm?
For
: example, I have a login page, how do I use the javascript?

Please respond after responses, not before them.

You don't use javascript to do this. You do it on the server-side. If you
need a MD5 function already written to work in ASP, then go here:
http://www.frez.co.uk/freecode.htm#md5

The function is md5. I call it with:
eStr = md5(str)

I put it in it's own file and I include it into any page I need. A starter
example...

<%@ Langauge = "VBScript" %>
<%
Option Explicit
Response.Buffer = True
%>
<!--#include virtual="/asp/nocache.asp"-->
<!--#include virtual="/asp/md5.asp"-->
<%
dim username, password, ePassword, method
method = Request.ServerVariables("REQUEST_METHOD")
if method = "POST" then ' form has been posted
username = Server.HTMLEncode(Replace(Request.Form("username") ,"'","''"))
password = Server.HTMLEncode(Replace(Request.Form("password") ,"'","''"))
' form validation
' get password from database if username exists
ePassword = md5(password)
if ePassword = cPassword then
' write to log
' validate logon
session("user") = username
' redirect to welcome
else
' report error to user
' write to log
' redirect to logon
end if
end if
%>
<!-- display logon form -->

My nocache.asp page:

<%
with Response
.Expires = -1
.ExpiresAbsolute = Now() - 1
.AddHeader "pragma", "no-cache"
.AddHeader "cache-control", "private"
.CacheControl = "no-cache"
end with
%>

HTH...

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp


 
Reply With Quote
 
Gottfried Mayer
Guest
Posts: n/a
 
      10-19-2005
Roland Hall wrote:
> "M P" wrote in message news:%(E-Mail Removed)...
> : Thanks for the reply. My question is how do I handle this MD5 algorithm?
> For
> : example, I have a login page, how do I use the javascript?
>
> Please respond after responses, not before them.
>
> You don't use javascript to do this. You do it on the server-side. If you
> need a MD5 function already written to work in ASP, then go here:
> http://www.frez.co.uk/freecode.htm#md5
>
> The function is md5. I call it with:
> eStr = md5(str)
>
> I put it in it's own file and I include it into any page I need. A starter
> example...
>
> <%@ Langauge = "VBScript" %>
> <%
> Option Explicit
> Response.Buffer = True
> %>
> <!--#include virtual="/asp/nocache.asp"-->
> <!--#include virtual="/asp/md5.asp"-->
> <%
> dim username, password, ePassword, method
> method = Request.ServerVariables("REQUEST_METHOD")
> if method = "POST" then ' form has been posted
> username = Server.HTMLEncode(Replace(Request.Form("username") ,"'","''"))
> password = Server.HTMLEncode(Replace(Request.Form("password") ,"'","''"))
> ' form validation
> ' get password from database if username exists
> ePassword = md5(password)
> if ePassword = cPassword then
> ' write to log
> ' validate logon
> session("user") = username
> ' redirect to welcome
> else
> ' report error to user
> ' write to log
> ' redirect to logon
> end if
> end if
> %>
> <!-- display logon form -->
>
> My nocache.asp page:
>
> <%
> with Response
> .Expires = -1
> .ExpiresAbsolute = Now() - 1
> .AddHeader "pragma", "no-cache"
> .AddHeader "cache-control", "private"
> .CacheControl = "no-cache"
> end with
> %>
>
> HTH...
>


Although it seems easier to put this all in one place, you might want to
consider this:

If you do the encryption all server-side, every client will send his/her
password as plain-text over the internet.

In my opinion (and for security reasons), I would use a client-side
(JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the
internet. (or use SSL to encrypt the whole data transfer between client
and server)


just my 2 cents
Gottfried
 
Reply With Quote
 
Gottfried Mayer
Guest
Posts: n/a
 
      10-19-2005
M P wrote:
> Hi!
>
> Thanks for the reply. My question is how do I handle this MD5 algorithm? For
> example, I have a login page, how do I use the javascript?
>
> regards,
> Me
>
> "Gottfried Mayer" <(E-Mail Removed)> wrote in message
> news:e9m$(E-Mail Removed)...
>
>>M P wrote:
>>
>>>Hi!
>>>
>>>Im planning to encrypt the password that was stored on msaccess database
>>>and
>>>also the text inputed from a password textbox. Also, if I want to get the
>>>password from the database, I need to decrypt it so it can be comparable
>>>to
>>>the one that is inputed on the textbox. Is there a way on how to handle
>>>this?
>>>
>>>MP
>>>
>>>

>>
>>Hi M P,
>>
>>To store passwords, the one-way or "hash" algorhythms will be the most
>>useful to use:
>>As the name says, this is a one-way procedure, for example:
>>
>>Password: mysecretpass
>>Hash (example): 28F9E2A118B3 <== Store this in DB
>>
>>User inputs: mysecretpass
>>Calculate Hash: 28F9E2A118B3
>>Compare this to value stored in DB.
>>
>>
>>There are several different hash algorhythms around, the most commonly
>>used is called MD5:
>>http://www.aspfaq.com/show.asp?id=2397
>>
>>The first example on this page is a implementation in JavaScript, this
>>ensures that the password is encrypted on the client computer and
>>submitted in the encrypted form.
>>
>>
>>HTH
>> Gottfried

>
>
>


Hi M P,

You can read about the JavaScript implementation on this page:
http://pajhome.org.uk/crypt/md5/auth.html
(it even has a very interesting challange-response example to enhance
security further)


But basically, it works like this:

download md5.js, put it in your web dir.

load the JavaScript into the Login page:
<script src="md5.js" type="text/javascript"></script>

insert the md5 calculation in the onSubmit trigger of your login form:

example login form:
<form onSubmit="pw.value = hex_md5(pw.value);" name="loginform"
action="login.asp" method="post">
User: <input type="text" name="un"><br>
Pass: <input type="password" name="pw"><br>
<input type="submit" name="submit" value="submit">
</form>


On Server-Side, you check the Request("pw") against the value stored in
the database (don't forget to clean up the request string first to
prevent SQL injection ==> google).
This way, only the client knows the plain-text password, every further
step is encrypted.

HTH
Gottfried
 
Reply With Quote
 
Roland Hall
Guest
Posts: n/a
 
      10-22-2005
"Gottfried Mayer" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
:
: Although it seems easier to put this all in one place, you might want to
: consider this:
:
: If you do the encryption all server-side, every client will send his/her
: password as plain-text over the internet.
:
: In my opinion (and for security reasons), I would use a client-side
: (JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the
: internet. (or use SSL to encrypt the whole data transfer between client
: and server)

I would normally use SSL, as all basic authentication should, but the
client-side alternative is a good suggestion.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp


 
Reply With Quote
 
PJones
Guest
Posts: n/a
 
      11-27-2005
check out www.aspprotect.com
or search www.aspin.com


"Roland Hall" <nobody@nowhere> wrote in message
news:(E-Mail Removed)...
> "Gottfried Mayer" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> :
> : Although it seems easier to put this all in one place, you might want to
> : consider this:
> :
> : If you do the encryption all server-side, every client will send his/her
> : password as plain-text over the internet.
> :
> : In my opinion (and for security reasons), I would use a client-side
> : (JavaScript) MD5 Hash to encrypt the password BEFORE sending it over the
> : internet. (or use SSL to encrypt the whole data transfer between client
> : and server)
>
> I would normally use SSL, as all basic authentication should, but the
> client-side alternative is a good suggestion.
>
> --
> Roland Hall
> /* This information is distributed in the hope that it will be useful, but
> without any warranty; without even the implied warranty of merchantability
> or fitness for a particular purpose. */
> Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
> WSH 5.6 Documentation -
> http://msdn.microsoft.com/downloads/list/webdev.asp
> MSDN Library - http://msdn.microsoft.com/library/default.asp
>
>



 
Reply With Quote
 
Bob Barrows [MVP]
Guest
Posts: n/a
 
      11-27-2005
Why are you responding to month-old questions? The original poster is
unlikely to be paying attention to this thread anymore.

Bob Barrows

PJones wrote:
> check out www.aspprotect.com
> or search www.aspin.com
>
>
> "Roland Hall" <nobody@nowhere> wrote in message
> news:(E-Mail Removed)...
>> "Gottfried Mayer" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>>
>>> Although it seems easier to put this all in one place, you might
>>> want to consider this:
>>>
>>> If you do the encryption all server-side, every client will send
>>> his/her password as plain-text over the internet.
>>>
>>> In my opinion (and for security reasons), I would use a client-side
>>> (JavaScript) MD5 Hash to encrypt the password BEFORE sending it
>>> over the internet. (or use SSL to encrypt the whole data transfer
>>> between client and server)

>>
>> I would normally use SSL, as all basic authentication should, but the
>> client-side alternative is a good suggestion.
>>
>> --
>> Roland Hall
>> /* This information is distributed in the hope that it will be
>> useful, but without any warranty; without even the implied warranty
>> of merchantability or fitness for a particular purpose. */
>> Technet Script Center -
>> http://www.microsoft.com/technet/scriptcenter/ WSH 5.6 Documentation
>> - http://msdn.microsoft.com/downloads/list/webdev.asp
>> MSDN Library - http://msdn.microsoft.com/library/default.asp


--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Change a users password without knowing the old password nor the answer to the password question AAaron123 ASP .Net 1 01-16-2009 02:56 PM
Changing a users password without knowing the old password nor the answer to the password question AAaron123 ASP .Net 2 01-16-2009 02:08 PM
Password change not working for default password in cisco aironet 1200 Deepak K Cisco 2 04-19-2005 08:42 PM
How to keep the password in a password field when page post back? feng ASP .Net 4 02-28-2004 06:46 PM
Adding a password to Mozilla Password Manager Dirk Firefox 4 10-28-2003 10:00 PM



Advertisments