I have a page in my web site which is used to update baseball stats in a 
database.  Of course, I don't want just anyone to be able to come in and 
add things to the database, so I am creating a login page which will make 
sure the person is authorized to change the data.  Rather than simply 
entering their usernames and passwords into the database, I want to 
encrypt the password.  I'd rather create an encryption routine of my own 
than have to install a component into the server.  Does anyone know how to 
do this?  I've been searching the web for a couple of hours now and still 
can't find a site that shows an ASP routine that will encrypt strings.

Thanks,
Chris

Try out this link... http://www.di-mgt.com.au/crypto.html
It provides sample code of various encryption algorithms in VB...
It shouldn't be too difficult to translate some of these into 
an ASP routine.

Also, if you check out the archives at WROX (not sure if in
this group or another), I recall being provided with the
VBScript for an RC4 encryption routine by somebody in the
not too distant past (within the last 4-9 months)

HTH.


******************************
Jack Speranza
Gryphon Networks
Automating Privacy Compliance for Business
xxx.xxx.xxxx  x129
www.gryphonnetworks.com

"Software never has bugs.   It just develops random features."



-----Original Message-----
From: Christopher Cote [mailto:chrscote@9...]
Sent: Wednesday, December 11, 2002 10:48 AM
To: ASP Web HowTo
Subject: [asp_web_howto] Encrypting a password to protect a
data-entering page


I have a page in my web site which is used to update baseball stats in a 
database.  Of course, I don't want just anyone to be able to come in and 
add things to the database, so I am creating a login page which will make 
sure the person is authorized to change the data.  Rather than simply 
entering their usernames and passwords into the database, I want to 
encrypt the password.  I'd rather create an encryption routine of my own 
than have to install a component into the server.  Does anyone know how to 
do this?  I've been searching the web for a couple of hours now and still 
can't find a site that shows an ASP routine that will encrypt strings.

Thanks,
Chris

There's a good article about this here:
http://aspnet.4guysfromrolla.com/articles/112002-1.aspx
There's no actual encryption code, but its a nice discussion of hashing 
and salting a password.
rgds
Phil
>--------------------------------------------
> 
Try out this link... http://www.di-mgt.com.au/crypto.html
It provides sample code of various encryption algorithms in VB...
It shouldn't be too difficult to translate some of these into 
an ASP routine.

Also, if you check out the archives at WROX (not sure if in
this group or another), I recall being provided with the
VBScript for an RC4 encryption routine by somebody in the
not too distant past (within the last 4-9 months)

HTH.


******************************
Jack Speranza
Gryphon Networks
Automating Privacy Compliance for Business
xxx.xxx.xxxx  x129
www.gryphonnetworks.com

"Software never has bugs.   It just develops random features."



-----Original Message-----
From: Christopher Cote [mailto:chrscote@9...]
Sent: Wednesday, December 11, 2002 10:48 AM
To: ASP Web HowTo
Subject: [asp_web_howto] Encrypting a password to protect a
data-entering page


I have a page in my web site which is used to update baseball stats in a 
database.  Of course, I don't want just anyone to be able to come in and 
add things to the database, so I am creating a login page which will make 
sure the person is authorized to change the data.  Rather than simply 
entering their usernames and passwords into the database, I want to 
encrypt the password.  I'd rather create an encryption routine of my own 
than have to install a component into the server.  Does anyone know how to 
do this?  I've been searching the web for a couple of hours now and still 
can't find a site that shows an ASP routine that will encrypt strings.

Thanks,
Chris

Hi guys,
  Thanks for the messages so far.  I'd like to know if anyone has seen any 
specific examples of how to code any of these algorithms.  If you have, 
please let me know where you saw it (whether it was in a book or on the 
web).  I don't really care too much what language it was written in, since 
I should be able to convert it into ASP myself.  
  As a side note, I would also like to be able to decode the passwords 
back to their original form in case someone forgets theirs.

Chris

I'm not quite sure if this is possible.  But I do have an encryption class
that will encrypt strings in hex format so this will avoid any unwanted
characters on your encrypted strings. Well actually I was not the one who made
it,  I just have it compile to a dll.  May be you can use the dll in ASP, if
it is possible only :D

enzo c",)

-----Original Message-----
From: Christopher Cote [mailto:chrscote@9...]
Sent: Wednesday, December 11, 2002 5:48 PM
To: ASP Web HowTo
Subject: [asp_web_howto] RE: Encrypting a password to protect a
data-enter ing page


Hi guys,
  Thanks for the messages so far.  I'd like to know if anyone has seen any 
specific examples of how to code any of these algorithms.  If you have, 
please let me know where you saw it (whether it was in a book or on the 
web).  I don't really care too much what language it was written in, since 
I should be able to convert it into ASP myself.  
  As a side note, I would also like to be able to decode the passwords 
back to their original form in case someone forgets theirs.

Chris

Hi Chris,

>------------------------------------------
>I would also like to be able to decode the passwords 
>back to their original form in case someone forgets theirs
>------------------------------------------
You are, of course, free to do whatever you want, but I would urge you not 
to do this.  The standard way to store passwords is to use one-way 
encryption (or hashing) techniques.  Passwords should never be stored in a 
format that can be decrypted. If I clicked on a site's 'forgotten 
password' link I would be horrified to be sent my original password - that 
would imply to me that the site stored passwords in an insecure format.  I 
would never use that site again.  

The standard way to do it is to add a "salt" to the password (e.g. use 
user name as the salt) and then hash that combination and store it in the 
db.  Then when someone logs in, you take the password they have entered, 
add the user name as a salt and then hash that.  Take this hash and 
compare it with the hash in the db.  If they match its the right password, 
if not it's not!  That way you can verify the password without having to 
know what it is in plain-text.  The link I gave you previously explains 
this procedure well, plus it has ASP.NET code to implement it.

If the user forgets their password, you should generate a new one for 
them, salt and hash it, store it in the db and then send it out to them.

There are standard secure hash algorithms such as MD5 and SHA freely 
available.  For example http://www.frez.co.uk/freecode.htm has VB and ASP 
versions of them.

hth
Phil
>---------------------------------------------------
Hi guys,
  Thanks for the messages so far.  I'd like to know if anyone has seen any 
specific examples of how to code any of these algorithms.  If you have, 
please let me know where you saw it (whether it was in a book or on the 
web).  I don't really care too much what language it was written in, since 
I should be able to convert it into ASP myself.  
  As a side note, I would also like to be able to decode the passwords 
back to their original form in case someone forgets theirs.

Chris

Thank you very much.  I hadn't realized this major flaw in my concept.  I 
will definitely use the one-way hash instead.  

Chris