Re: Encrypt / Decrypt password?

From: Matt Barton (
Date: 05/25/02

From: Matt Barton <>
Date: Fri, 24 May 2002 22:44:09 -0500
To: Mn <>

Hash: SHA1

On Fri, 24 May 2002, Mn wrote:

> Environment: NT 4.0 Server (w/ latest service pack), MS-SQL Server 6.5,
> ASP, IIS 4.0
> Web application has a login / password ASP page.
> Would like to know how users' password could be encrypted and stored in
> the database. Also, should be able to decrypt the password to facilitate
> "Email my password" functionality for users who forget their password.
> Tried CAPICOM.DLL. But it encrypts a 10 character plain text to 142
> characters (for Algorithm = 3, 3DES). This would require password column
> in application table to be of approximately 150 characters!!! (there are
> 2000 users! Would like to avoid large column width).
> Am not sure if I could use CAPICOM.DLL for this purpose.

We've got a programmer in our company who is using CAPICOM.DLL for an
internal application we're building. As I understand it, once the key has
been cracked, all passwords become vulnerable. I may be wrong on that.

Personally, I believe the most secure thing to do is to store you all
passwords as hashes, in either SHA1 or MD5. No key, and passwords have to
be brute-forced individually.

You can still do the "e-mail my password" functionality by validating
other information about the user and then e-mailing a new password to them
which they could change later. Better yet, you can send them an e-mail
with a URL that will force them to reset their password.

Good luck.

- --

Matt Barton
Indianapolis, IN

Version: GnuPG v1.0.7 (FreeBSD)