Hello, how can I encrypt and decrypt passwords in a database without any components; can it be done?

Thanks, Martin.

Few links to articles:

http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=site:www.4guysfromrolla.com+encryption - http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=site:www.4guysfromrolla.com+encryption

hey Michael, if you are thinking what i am thinking

if he answers "SQL", were you going to point him to the "undocumented and unsupported" encryption built into SQL 2000?

if that's the case, you have good links for that?

well, i searched around a bit and found the command "pwdencrypt()", and considering every hit i found says "undocumented", that must be it, but searching google for that term brings back a bunch of hits talking about some security hole......

but its probably a hole that has been plugged by now

still looking for a page on how to use this

i couldnt tell you because while i know the 6.xx code inside and out, i have yet to even look at a line of code in V7 since i am currently shopping for a .NET-based answer to forums

back on the pwddecrypt(), i just posted on a few other forums trying to fish for some how-to's

our DBA here at work knows a little, he said he's gonna get some code toghether for me, i'll be sure to post it

Ah yes, easier than i thought

Run against Northwind DB

DECLARE @Address nvarchar(60), @EncryptAddress nvarchar(60)

SET @Address = '123 Main Street'
SET @EncryptAddress = PWDENCRYPT(@Address)

INSERT INTO Employees (LastName, FirstName, Address)
  VALUES ('Doe', 'John', @EncryptAddress)
SELECT TOP 1 EmployeeID, LastName, FirstName, Address, Len(Address) As AddressLength
  FROM Employees ORDER BY EmployeeID DESC

SELECT EmployeeID FROM Employees
 WHERE LastName = 'Doe' AND Address = @Address
SELECT EmployeeID FROM Employees
 WHERE LastName = 'Doe' AND Address = PWDENCRYPT(@Address)

The first SELECT shows that you can't "see" whats in the "Address" column and the Length column just shows that something is in there

Now notice that the second SELECT brings back no results since the plain address didnt match the encrypted column "address", but the third one did

Does that work with a standard access 2000 database or a 'Northwind' one only?

Thanks, Martin.

its a SQL 2000 function, access has nothing like this that i know of

(you did say above "SQL")

Oh, it doesn't matter now because I've just found a hash 1 way fuction that I can use (hashs request.form("password") Then pulls out the record).

Thanks for all your help anyway, Martin.

Z I am using this encryption for some time now and yes there was a little hole which supposedly has been plugged in sp3.
I use that script to authenticate a password:
strSQL =          "Declare @LoginUser varchar(30) "
strSQL = strSQL & "Declare @EncryptedPIN varbinary(255) "
strSQL = strSQL & "Select @LoginUser = (Select Username from Logins where Username = '" & Username & "') "
strSQL = strSQL & "Select @EncryptedPIN = (Select [Password] from Logins where Username = @LoginUser) "
strSQL = strSQL & "Select @LoginUser AS Username, Access, pwdCompare('" & Password & "', @EncryptedPin, 0) AS Success "
strSQL = strSQL & "FROM Logins where Username = @LoginUser"
Set RS = conn.Execute(strSQL)

this just returns either 1 for success or 0 in which case i throw him back

and the following to  encrypt an entered password:
pwdencrypt('" & Password & "')   within an insert that is. The field itself i use binary so even there is harder to read out. Works well for me and runs faster then most hash1's I found.

as a final note on this topic

if you are using SQL Server like you said, i am not sure how anything easier than:

Changing:
SELECT * FROM UserInfo WHERE Username = Entered Username AND Password = Entered Password
To:
SELECT * FROM UserInfo WHERE Username = Entered Username AND Password = PWDENCRYPT(Entered Password)

Or Changing:
INSERT INTO UserInfo (Username,Password) VALUES (Entered Username, Entered Password)
To:
INSERT INTO UserInfo (Username,Password) VALUES (Entered Username, PWDENCRYPT(Entered Password))

no extra functions to slow you down, no muss, no fuss... that's it!  but alas, not my programming, i can only offer advice/help

Hi, before I just found out that I wouldn't have access to SQL. Is it possible to use your function with an access database?

Thanks, Martin.

Z, it does not really wqork like that as the password with pwdencrypt is always different. It uses a time value as salt, try it in query analyzer, every time you encrypt it the pw will be different.

Mart, there is no builtin function in access, you would habe to use an asp hash function like this forum does.

Ok thanks michael, can I use that same function as this forum or do I have to use a differant one?

Thanks, martin.

Do you mean the Web Wiz link in the forum or the comments inside the script?

Thanks, Martin.