Re: Encrypt / Decrypt password?

From: Matt Barton (mattyb77@newsguy.com)
Date: 05/25/02

Next message: MdB: "i am so mad!!!!!"
Previous message: Matt Barton: "Re: SQL Server Security"
In reply to: Mn: "Encrypt / Decrypt password?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Matt Barton <mattyb77@newsguy.com>
Date: Fri, 24 May 2002 22:44:09 -0500
To: Mn <r_meen@yahoo.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 24 May 2002, Mn wrote:

> Environment: NT 4.0 Server (w/ latest service pack), MS-SQL Server 6.5,
> ASP, IIS 4.0
>
> Web application has a login / password ASP page.
>
> Would like to know how users' password could be encrypted and stored in
> the database. Also, should be able to decrypt the password to facilitate
> "Email my password" functionality for users who forget their password.
>
> Tried CAPICOM.DLL. But it encrypts a 10 character plain text to 142
> characters (for Algorithm = 3, 3DES). This would require password column
> in application table to be of approximately 150 characters!!! (there are
> 2000 users! Would like to avoid large column width).
>
> Am not sure if I could use CAPICOM.DLL for this purpose.

We've got a programmer in our company who is using CAPICOM.DLL for an
internal application we're building. As I understand it, once the key has
been cracked, all passwords become vulnerable. I may be wrong on that.

Personally, I believe the most secure thing to do is to store you all
passwords as hashes, in either SHA1 or MD5. No key, and passwords have to
be brute-forced individually.

You can still do the "e-mail my password" functionality by validating
other information about the user and then e-mailing a new password to them
which they could change later. Better yet, you can send them an e-mail
with a URL that will force them to reset their password.

Good luck.

- --

Matt Barton mattyb77@newsguy.com
Indianapolis, IN http://www.mattbarton.ws/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE87wiL0MGobtNQgm0RAtaeAKDIzRl9zVYbr29HXdVyHjhV+Sgn6gCdF5mo
zcaYXo/0v51JJAgQkf8l2iI=
=qLKs
-----END PGP SIGNATURE-----

Next message: MdB: "i am so mad!!!!!"
Previous message: Matt Barton: "Re: SQL Server Security"
In reply to: Mn: "Encrypt / Decrypt password?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [RFC][PATCH] x86-optimized SHA1 hash for CryptoAPI
... SHA1, taken from Nettle. ... functionality as crypto/sha1.c, I could abstract out common code between the ... C version expects the caller to allocate a temporary buffer (to minimize the ... If the optimized code was used with the current API, ...
(Linux-Kernel)
Re: mailinglists and mailclient usage?
... Hash: SHA1 ... feature. ... functionality, and rumors that Sylpheed Claws does as well. ... `'` proud Debian admin and user ...
(Debian-User)
Re: [opensuse] IP tables
... Hash: SHA1 ... does this mean that your one-liner will/could nearly replace all the functionality of "Denyhosts"?? ... dunno. ...
(SuSE)
Re: Module for better file locking. Name => "IO::Lock" ?
... Hash: SHA1 ... Is there any way you could just add your better functionality to the ... nobody would have to change ...
(comp.lang.perl.modules)