Re: Encrypt / Decrypt password?

From: Matt Barton (
Date: 05/25/02

From: Matt Barton <>
Date: Fri, 24 May 2002 22:44:09 -0500
To: Mn <>

Hash: SHA1

On Fri, 24 May 2002, Mn wrote:

> Environment: NT 4.0 Server (w/ latest service pack), MS-SQL Server 6.5,
> ASP, IIS 4.0
> Web application has a login / password ASP page.
> Would like to know how users' password could be encrypted and stored in
> the database. Also, should be able to decrypt the password to facilitate
> "Email my password" functionality for users who forget their password.
> Tried CAPICOM.DLL. But it encrypts a 10 character plain text to 142
> characters (for Algorithm = 3, 3DES). This would require password column
> in application table to be of approximately 150 characters!!! (there are
> 2000 users! Would like to avoid large column width).
> Am not sure if I could use CAPICOM.DLL for this purpose.

We've got a programmer in our company who is using CAPICOM.DLL for an
internal application we're building. As I understand it, once the key has
been cracked, all passwords become vulnerable. I may be wrong on that.

Personally, I believe the most secure thing to do is to store you all
passwords as hashes, in either SHA1 or MD5. No key, and passwords have to
be brute-forced individually.

You can still do the "e-mail my password" functionality by validating
other information about the user and then e-mailing a new password to them
which they could change later. Better yet, you can send them an e-mail
with a URL that will force them to reset their password.

Good luck.

- --

Matt Barton
Indianapolis, IN

Version: GnuPG v1.0.7 (FreeBSD)


Relevant Pages

  • Re: [RFC][PATCH] x86-optimized SHA1 hash for CryptoAPI
    ... SHA1, taken from Nettle. ... functionality as crypto/sha1.c, I could abstract out common code between the ... C version expects the caller to allocate a temporary buffer (to minimize the ... If the optimized code was used with the current API, ...
  • Re: mailinglists and mailclient usage?
    ... Hash: SHA1 ... feature. ... functionality, and rumors that Sylpheed Claws does as well. ... `'` proud Debian admin and user ...
  • Re: [opensuse] IP tables
    ... Hash: SHA1 ... does this mean that your one-liner will/could nearly replace all the functionality of "Denyhosts"?? ... dunno. ...
  • Re: Module for better file locking. Name => "IO::Lock" ?
    ... Hash: SHA1 ... Is there any way you could just add your better functionality to the ... nobody would have to change ...