Classic ASP Discussion - Encrypting Passwords

Print Page | Close Window

Encrypting Passwords

Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: Classic ASP Discussion
Forum Description: Discussion on Active Server Pages (Classic ASP).
URL: https://forums.webwiz.net/forum_posts.asp?TID=11946
Printed Date: 30 March 2026 at 11:29am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: Encrypting Passwords

Posted By: Misty
Subject: Encrypting Passwords
Date Posted: 25 September 2004 at 4:39pm

I would like to get insights from people about something. I know that it is very useful to encrypt passwords that are stored in a database especially if your database could be downloaded from your web site. However, I have a concern about forgotten passwords. I've heard that people cannot receive their passwords via email if they are encrypted. Is there any way to work around this? Another concern that I have is a person would have to reset his/her password if he or she forgot it.

Replies:

Posted By: dj air
Date Posted: 25 September 2004 at 4:52pm

what you/people ussually do is when someone has forgotten their password.

you then create a new one (random) and send it via email or something....

Posted By: xeerex
Date Posted: 25 September 2004 at 5:01pm

Interestingly, you can yank passwords literally out of cyberspace since 99% of all emails are sent in plain text. Its very simple to do at the correct places although considering the amount of email flying around including spam, I suppose it isn't too practical. Go and download EtherReal or similar software and let it monitor your traffic. It's especially funny (scary??) when you run it on your LAN if you have one. You'll find out all sorts of nifty things...

I'd have to say I'm for the "email a new password/activation link" and require an immediate password change just for safety....but that's my 2 cents.

-------------
http://webspacegeeks.com - Need Hosting, Domains, Dedicated Servers?
http://www.smartergeek.com - web design | pc support | training | podcasts | video production

Posted By: pmormr
Date Posted: 27 September 2004 at 10:25pm

you could do what msn does... use a secret question or something like that.

-------------
Paul A Morgan

http://www.pmorganphoto.com/" rel="nofollow - http://www.pmorganphoto.com/

Posted By: Mart
Date Posted: 28 September 2004 at 2:55am

Thats insecure IMHO, 90% of the people hacked on MSN will be hacked because someone guessed their secret question (not an official statistic)

Posted By: padoxky
Date Posted: 30 March 2005 at 9:17am

I suggest you fellow this link http://www.w100w.com - http://www.w100w.com you find what you are looking for.

If you still need it.

-------------
NgWebDesigns

Posted By: Gullanian
Date Posted: 30 March 2005 at 1:12pm

Reset password is best I reckon. Gotta be careful of people reseting other peoples passwords to be a nuisance however.

Posted By: ub3rl337ch3ch
Date Posted: 04 April 2005 at 12:38am

All encrypts do have a decrypt. It's a matter of knowing what the cypher is.

What you could do is send a link via email which will take them to a password change page as thought they had logged in normally (eg, set your password checker to "if 1=1" for that page, or something like that).

That or resetting their pass, and sending an autogen pass to them by email. Both have the problems with people plucking them out of cyberspace, but the top one would probably be slightly more secure, as someone interested in random mayhem is less likely to bother following a link and entering new pass and everything, than just using a pass... the difference is marginal however.

A better way that plain text would be to send them the password in a .txt file which you had changed the extension of (to something like .dud) and then instruct them to change the extension back to .txt. This is a lot less likely to be picked up by a password sniffer.

Posted By: zMaestro
Date Posted: 04 April 2005 at 3:40am

what's the way used in wwforums?

the password is encrypted, isn't it?

Posted By: dj air
Date Posted: 04 April 2005 at 5:42am

yes the password is encrypted within WWF

its 160 bit 1 way hash encryption with a Salt Key to help prevent simularities within the encryption

the salt key is randomly generated.

and is added to the end of the password then encrypted.

so the salt key is stored per user basis (this makes it even more secure as each user has a different Salt Key)

and the encrypted password is stored within the database

then to check the password you encrypt the entered password using the users Salt Key. and then compare it against the Encrypted Password stored in the database if they both match the password entered is correct.