[SOLVED] Encrypted Password

[Monie]

I don't know if this is done through server side scripting (ASP/PHP) or maybe Javascript, but since this forum (PHP) is so popular, I posted it here to get some fast feedback

Ok, I have downloaded an ASP Forum from Web Wiz Guide and I went behind the forum code to see how they coded some "thing". It came to my attention to see how they manage to do the Encrypted Password.

Situation:

When we successfully register to the system (Username & Password), and went to the database to see the password field, all I can see is some numbers and alphabets combination.

My password is: monie, but in the database it displays this:

BC2BFC83DBD77018D12B980BE82933332B99977A

This is really a secure way of storing a password! Even the Admin guy of the forum doesn't know the user password!

So my typical simple direct question is, How to do that?

Thanks in advance.
Cheers...

[Rakuli]

That "Hash" it.

Basically hashing is a one-way encryption method.. The most popular are MD5 SHA1 and SHA2..

They take a string and encrypt it into a uniform length..... Most scripting languages include an implementation of these algorithms...

MySQL has it as a password function

Code: Select all

INSERT INTO table VALUES (PASSWORD('monie'), username)

PHP makes it even easier

PHP: Select all

$hash = md5('monie');



$hash = sha1('monie'); 

I assume ASP has one as well

It will not be retrievable....

[Monie]

Thanks Rakuli.

That means we need to Encrypt the password before saving them to the database, right?
What about the login page, will the password field recognize the Encrypted password?
Or do we need to Decrypt them?

Thanks.

[Rakuli]

You can never actually decrypt them, it is one way only.

When you are checking passwords, you are comparing hashes rather than passwords. You has the password first and the check it against the database value.

in mysql this would be

Code: Select all

SELECT username FROM table WHERE password = PASSWORD('monie')

Or in PHP

PHP: Select all

if (md5('monie') == $password)

    echo 'Password is okay!'; 

[Monie]

OK, let me search for the ASP Hash Algorithm first

EDIT: Found it, using MD5. I will look into it tonight. Thanks Rakuli! I'll get back to you ASAP

[Monie]

Ok, I manage to do it using MD5. What you need to do is download the MD5.asp file and include then on top of your page (verify page and register form page)

HTML: Select all

 <!--#include file="MD5.asp"-->
 ..
 ..
Password = MD5(Request.Form("txtPassword"))

Thanks Rakuli
Cheers...

P/S: Could you move this thread to ASP? Thanks.

[alexgeek]

ASP has hardly any built in functions!
You'd probably have to download like 200 files to get the functions for a forum.

[Monie]

As a matter of fact, ASP do have some built in function!

• ASP Built In Function
• VBScript Built In Function

Hai Alex. Just want to ask you
Do you mean when using MD5 in PHP, you just use the md5(textHere)? No other file needed? Include?

Cool..

[alexgeek]

Yes you can do that, among a few other encryption functions.
Thanks for those links though!

[Monie]

Cool...

In asp you need to download one asp file, named md5.asp (few hundred lines of code) just to use the MD5 Algorithm!

[Rakuli]

Quote:

Cool...

In asp you need to download one asp file, named md5.asp (few hundred lines of code) just to use the MD5 Algorithm!

It takes the same amount of lines but PHP is open source and md5 was long ago built into the core of the Zend Engine... ASP evolution is somewhat slower.

[Monie]

This encrypted password cannot be reversed engineered, aren't they?

[alexgeek]

Md5 is one way yes. It cannot be reversed.

[Monie]

Nice!
Thanks Alex!
Thanks Rakuli!

Cheers..