Web Wiz Forums - SALT description

Print Page | Close Window

SALT description

Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=11336
Printed Date: 09 April 2026 at 1:00am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: SALT description

Posted By: cbr600
Subject: SALT description
Date Posted: 29 July 2004 at 12:32am

Can anyone please explain me in detail how the Salt, Password and Usercode works and how it is stored on the DB?

Give me the example for

User - test
Password - webwiz

Thanks in advance

Replies:

Posted By: WebWiz-Bruce
Date Posted: 29 July 2004 at 9:51am

The Salt value is a random hex value that is added to the end of the password brofre encryption.

This means that a hacker can't try to break the encryption by trying to spot liknesses in the encrypted passwords with common values.

eg. If the encrypted password for 'webwiz' is 'ADE4674AD' then a hacker just needs to look for this to know what that users password is, with the salt value added before the password is encrypted the encrypted passwords would not look the same even if multiple users have the same password.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: WebWiz-Bruce
Date Posted: 29 July 2004 at 9:52am

Sorry forgot to mention, the user code is just for cookie tracking and nothing to do with passwords.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: cbr600
Date Posted: 29 July 2004 at 10:26am

so basically you add a salt value to your password, and then encryp it using the functions\hash1way.asp

I want to know what it exacly does becaus i have to append records to my tblAuthor from a previous login system i had on my web site.

So i would like all users to keep their old passords they used to login to my website, and use the same login to enter the forum.

So i have on the old login DB to convert to the web wiz SQL DB

Old Login - convert - tblAuthor

U_ID - convert - Author_ID
U_NAME - convert - Username
U_PASSWORD - convert - Password
U_EMAIL - convert - Author_email

And so i have to know how to convert a regular password to use the salt and encryption system tblAuthor uses, so that i can create a script that automaticaly converts my Old Login.

Posted By: WebWiz-Bruce
Date Posted: 29 July 2004 at 11:34am

What you have is correct.

The user_code just needs to be a unquie not easily guessed text string.

The following is about the encryption used in web wiz forums so will give you an idea of how the salt value is appened to passwords and why:-

http://local.15seconds.com/issue/000217.htm - http://local.15seconds.com/issue/000217.htm

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: cbr600
Date Posted: 29 July 2004 at 12:56pm

My question is, if i wanted to create a page that receives the inputed (from a form) username and passord, and displays me the SALT, Username, Usercode, and Password, How would i do that? Using of course the same method as the webwiz forum does.

Simply tell me: get this code from line x to y from file this.asp and include file that.asp, etc it would be a lot easier for me.

Thanks in advance.

Posted By: WebWiz-Bruce
Date Posted: 29 July 2004 at 1:21pm

Not sure what you mean , but the register.asp page handles the registration of new users and creates the salt value, encrypts the password, and creates the user code for the user.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: cbr600
Date Posted: 29 July 2004 at 2:48pm

i know. What i want to do is create a .asp that reads all records from my old DB and converts them to be like tblAuthor.

I showed you my tblLOGIN table, so what i need is what would that page be like?

1 - open Old database
2 - for each record, use a code to get U_PASSWORD and U_NAME and convert it to Password, User_Code, and Salt, (can be displayed on monitor or can be directly replaced on the old DB) so that it can be compatible with the forum DB.

Posted By: WebWiz-Bruce
Date Posted: 29 July 2004 at 6:55pm

The username field can be copied straight over.

The user code field can be any unique value you want. (something not easy to guess would be best)

The salt and encrypted passwords are done by functions in the file function/function_hash1way.asp

Call the function getSalt(7), '7' being the length of the generated salt value.

Store the salt value in the database.

Then place the salt value on the end of the password and using the HashEncode() pass it your password with the salt value added to get your encrypted password.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: Phat
Date Posted: 29 July 2004 at 9:22pm

Make you do Lcase(password) as well. I got caught by not doing this before encrypting.

Posted By: cbr600
Date Posted: 16 August 2004 at 1:36pm

ok i created a code to convert my existing DB to new format like wwforum.mdb

here it is.

wrote:

<% @ Language=VBScript %>

strDatabaseDateFunction = "Now()"

Set adoCon = Server.CreateObject("ADODB.Connection")
strDbPathAndName = Server.MapPath("admin/database/login.mdb")
strCon = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & strDbPathAndName
adoCon.connectionstring = strCon
adoCon.Open

query = "SELECT TOP 10 * FROM tblAuthor"

Set rsLogin = Server.CreateObject("ADODB.Recordset")
rsLogin.CursorType = 0
rsLogin.CursorLocation = 2
rsLogin.LockType = 1
rsLogin.Open query, adoCon

'******************************************
'*** Create Usercode *****
'******************************************

Private Function userCode(ByVal strUsername)

'Randomise the system timer
Randomize Timer

'Calculate a code for the user
strUserCode = strUsername & hexValue(15)

'Make the usercode SQL safe
strUserCode = formatSQLInput(strUserCode)

'Replace double quote with single in this intance
strUserCode = Replace(strUserCode, "''", "'", 1, -1, 1)

'Return the function
userCode = strUserCode
End Function

%>
<style type="text/css">

</style>

<table border=1 width=50%>
<tr align="center">
<td>
 Username
 </td>
<td>
 Usercode
 </td>
<td>
 Password
 </td>
<td>
 prev. Password
 
</td>
<td>
 Salt
 </td>
</tr>

<% while not rsLogin.eof %>

Dim strUsername
Dim strPassword
Dim strSalt

strUsername = rsLogin("Username")
strPassword = rsLogin("Password")
'strSalt = rsLogin("Salt")

'******************************************
'*** Create a usercode ***
'******************************************

'Calculate a code for the user
strUserCode = userCode(strUsername)

'******************************************
'*** Encrypt password ***
'******************************************

strSalt = getSalt(Len(strPassword))

'Concatenate salt value to the password
strEncryptedPassword = strPassword & strSalt

'Encrypt the password
strEncryptedPassword = HashEncode(strEncryptedPassword)

'******************************************
'***       Create usercode cookie ***
'******************************************

    'Write the cookie with the name Forum containing the value UserID number
  Response.Cookies(strCookieName)("UID") = strUserCode

'Set the expiry date for 1 year (365 days)
'If no expiry date is set the cookie is deleted from the users system 20 minutes after they leave the forum
Response.Cookies(strCookieName).Expires = Now() + 365

</table>

<%
 rsLogin.Close
 Set rsLogin = Nothing
 adoCon.Close
 Set adoCon = Nothing
%>

The result is:

Username	Usercode	Password	prev. Password	Salt
llima	llimaE2Z21CA43BDB442	72780F0C4EECE6B3CDCC586A2205096B90FDADE7	llima	AFE38
palmeida	palmeidaZZ6E434C16DA1C9	14EB10BA6A949DC82FE36C6DBFE5531DBA9B9C27	2799	899C
nsousa	nsousa7EZ9CAF5893Z9A7	818F23F25051974CE0DE563127C4B8767EBB2732	nsousa	AE4A30
nlopes	nlopesE8DFBF3BBZ4B5C4	E78A0470CF3C1445BD24578B95BAA56ABF658119	nlopes	F3AF23
olivcapt	olivcapt2126DD79FZEE168	1FAEE817E

Posted By: cbr600
Date Posted: 17 August 2004 at 8:59am

hi Borg:

i'm desperate with this problem because all my site development is stalled because of this. Can you give me any hint?

Thanks in advance

Posted By: ljamal
Date Posted: 17 August 2004 at 4:25pm

Is the new added user active?

-------------
L. Jamal Walton

http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming

Posted By: WebWiz-Bruce
Date Posted: 17 August 2004 at 4:37pm

The new users with all their details are being entered into the forum database?

Also each time a user logs in their Usercode is changed, so running two databases of member details will not work.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: cbr600
Date Posted: 18 August 2004 at 9:42am

i figured out what was the error. I was selecting an extra space character from the displayed table. Glad i found that stupid mistake, 'cos i was going nuts.

Thanks again borg. If anyone wants a script to merge their existing user DB to a WWForum DB, PM me and ill send you exacly what to do.