Re: Encrypt / Decrypt password?

From: Matt Barton (mattyb77@newsguy.com)
Date: 05/25/02


From: Matt Barton <mattyb77@newsguy.com>
Date: Fri, 24 May 2002 22:44:09 -0500
To: Mn <r_meen@yahoo.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 24 May 2002, Mn wrote:

> Environment: NT 4.0 Server (w/ latest service pack), MS-SQL Server 6.5,
> ASP, IIS 4.0
>
> Web application has a login / password ASP page.
>
> Would like to know how users' password could be encrypted and stored in
> the database. Also, should be able to decrypt the password to facilitate
> "Email my password" functionality for users who forget their password.
>
> Tried CAPICOM.DLL. But it encrypts a 10 character plain text to 142
> characters (for Algorithm = 3, 3DES). This would require password column
> in application table to be of approximately 150 characters!!! (there are
> 2000 users! Would like to avoid large column width).
>
> Am not sure if I could use CAPICOM.DLL for this purpose.

We've got a programmer in our company who is using CAPICOM.DLL for an
internal application we're building. As I understand it, once the key has
been cracked, all passwords become vulnerable. I may be wrong on that.

Personally, I believe the most secure thing to do is to store you all
passwords as hashes, in either SHA1 or MD5. No key, and passwords have to
be brute-forced individually.

You can still do the "e-mail my password" functionality by validating
other information about the user and then e-mailing a new password to them
which they could change later. Better yet, you can send them an e-mail
with a URL that will force them to reset their password.

Good luck.

- --

Matt Barton mattyb77@newsguy.com
Indianapolis, IN http://www.mattbarton.ws/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE87wiL0MGobtNQgm0RAtaeAKDIzRl9zVYbr29HXdVyHjhV+Sgn6gCdF5mo
zcaYXo/0v51JJAgQkf8l2iI=
=qLKs
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: [RFC][PATCH] x86-optimized SHA1 hash for CryptoAPI
    ... SHA1, taken from Nettle. ... functionality as crypto/sha1.c, I could abstract out common code between the ... C version expects the caller to allocate a temporary buffer (to minimize the ... If the optimized code was used with the current API, ...
    (Linux-Kernel)
  • Re: mailinglists and mailclient usage?
    ... Hash: SHA1 ... feature. ... functionality, and rumors that Sylpheed Claws does as well. ... `'` proud Debian admin and user ...
    (Debian-User)
  • Re: [opensuse] IP tables
    ... Hash: SHA1 ... does this mean that your one-liner will/could nearly replace all the functionality of "Denyhosts"?? ... dunno. ...
    (SuSE)
  • Re: Module for better file locking. Name => "IO::Lock" ?
    ... Hash: SHA1 ... Is there any way you could just add your better functionality to the ... nobody would have to change ...
    (comp.lang.perl.modules)