encrypt password

elloco999

Well-known member
Joined
Dec 21, 2004
Messages
49
Programming Experience
5-10
Hi,

I have an application that accesses a access db. In the db is a table called tblUser. It has two fields for storing usernames and passwords. Since anyone can open the db, I want to store the passwords encrypted.

I've been trying to figure out how to do this using the System.Security.Cryptography namespace. But all the encryption classes in this namespace use a stream to encrypt/decrypt things. Isn't there an easier way to encrypt the password? It is in a string, so if there is a way to simply encrypt the contents of the string?

And if not, how do I do this using a stream?

Thanks,
El Loco
 
This will encrypt or decrypt 'text', it's not super secure, but it's not much overhead.

public function cryption (byval text as string)
dim strtempchar as string
dim i as integer
for i = 1 to len(text)
if asc(mid$(text,i,1)) < 128 then
strtempchar = ctype(asc(mid$(text,i,1)) +128, string)
elseif asc(mid$(text,i,1)) > 128 then
strtempchar = ctype(asc(mid$(text,i,1)) -128, string)
end if
mid$(text,i,1) = chr(ctype(strtempchar,integer))
next i
return text
end function
 
This will encrypt or decrypt 'text', it's not super secure, but it's not much overhead.

public function cryption (byval text as string)
dim strtempchar as string
dim i as integer
for i = 1 to len(text)
if asc(mid$(text,i,1)) < 128 then
strtempchar = ctype(asc(mid$(text,i,1)) +128, string)
elseif asc(mid$(text,i,1)) > 128 then
strtempchar = ctype(asc(mid$(text,i,1)) -128, string)
end if
mid$(text,i,1) = chr(ctype(strtempchar,integer))
next i
return text
end function
 
TPM said:
T
if asc(mid$(text,i,1)) < 128 then
strtempchar = ctype(asc(mid$(text,i,1)) +128, string)
elseif asc(mid$(text,i,1)) > 128 then
strtempchar = ctype(asc(mid$(text,i,1)) -128, string)
mid$(text,i,1) = chr(ctype(strtempchar,integer))

does the '$' after the mid's serve a purpose? from what i can tell it doesnt, but i figured i should ask just in case that and i'm too lazy to research it at the moment
 
JuggaloBrotha said:
does the '$' after the mid's serve a purpose? from what i can tell it doesnt, but i figured i should ask just in case that and i'm too lazy to research it at the moment

It doesn't anymore. The function was originally mid$ back in just BASIC, but now in .net you no longer need the $ character. As far as I know it was used so the interpreter would know what was a function or something.
 
An easy and secure method is to use the SHA256 algorithm on your string. SHA is a one way hashing algorithm that is designed to create a unique hash value for your string. You just save the hash value into the database instead of the password. The next time a user enters his password, just compare the hash value generated from the password entered with the one stored in the database. The .NET runtime has a class called SHA256Managed that will do all the work for you. Here is more info from MSDN:

http://msdn2.microsoft.com/en-us/library/system.security.cryptography.sha256managed.aspx
 
Hi

I'd avoid rolling your own encryption algorithm - every reference on encryption suggests avoiding this.

The cryptography namespaces in .Netoffer a lot of functionality, but you have to know what you're doing. I've written a white paper that gives lots of sample code for using symmetric and asymmetric algorithms:

http://www.charteris.com/publications/whitepapers/default.asp

It's entitled:

Cryptographic Algorithms – Guidance for Developers

and is available for free. It has lots of code samples.

Another option is the Cryptography Application Block that's part of the Microsoft Enterprise Library. Here's an MS presentation showing how to use it:

http://www.pnplive.com/Slides/22MAR2005%20Crypto%20Block%20Webcast.ppt

I'd tend to avoid using the DPAPI for anything other than storing your encryption key. If your server goes down, then you can't recover the data from the database, as the encryption is unique to either the user or the machine it runs on.

Hope this helps

Chris Seary
 
Back
Top