Print Page | Close Window

Bug in plain text passwords

Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=20978
Printed Date: 09 April 2026 at 6:44am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com


Topic: Bug in plain text passwords
Posted By: rockliffe
Subject: Bug in plain text passwords
Date Posted: 10 August 2006 at 1:05pm
Hi,
 
I Thought you would like to know that if you use plain text passwords (blnEncryptedPasswords = False) then the code to update passwords in register.asp will not work correctly as it sets the new password to <password><salt> rather than just <password> (See below)
 
Cheers,
 
Ben
 


'If the password doesn't match that stored in the db then this is a password update
         If rsCommon("Password") <> strEncryptedPassword AND blnConfirmPassOK Then


                  'Generate new salt
                  strSalt = getSalt(Len(strPassword))


           'Concatenate salt value to the password
             strEncryptedPassword = strPassword & strSalt


           'Re-Genreate encypted password with new salt value
              If blnEncryptedPasswords Then strEncryptedPassword = HashEncode(strEncryptedPassword)


                 'Set the changed password boolean to true
                 blnPasswordChange = True
         End If
 
should be:
 


'If the password doesn't match that stored in the db then this is a password update
         If rsCommon("Password") <> strEncryptedPassword AND blnConfirmPassOK Then
   If blnEncryptedPasswords Then 
                   'Generate new salt
                   strSalt = getSalt(Len(strPassword))
 
            'Concatenate salt value to the password
              strEncryptedPassword = strPassword & strSalt


            'Re-Genreate encypted password with new salt value
               strEncryptedPassword = HashEncode(strEncryptedPassword)
   Else
    strEncryptedPassword = strPassword
   End If
 
                 'Set the changed password boolean to true
                 blnPasswordChange = True
         End If


Replies:
Posted By: WebWiz-Bruce
Date Posted: 11 August 2006 at 9:31am
Many thanks for pointing this out.

Although I would highly recommend that you do use password encryption.


-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting


Print Page | Close Window

Forum Software by Web Wiz Forums® version 12.08 - https://www.webwizforums.com
Copyright ©2001-2026 Web Wiz Ltd. - https://www.webwiz.net