Home page   WebCheatSheet.com


How to Encrypt Passwords in the Database

If you are developing a password-protected web site, you have to make a decision about how to store user password information securely.

What is "secure," anyway? Realize that the data in your database is not safe. What if the password to the database is compromised? Then your entire user password database will be compromised as well. Even if you are quite certain of the security of your database, your users' passwords are still accessible to all administrators who work at the Web hosting company where your database is hosted. Scrambling the passwords using some home-brewed algorithm may add some obscurity but not true "security." Another approach would be to encrypt all passwords in your database using some industry-standard cipher, such as the Message-Digest Algorithm 5 (MD5).

MD5 encryption is a one-way hashing algorithm. Two important properties of the MD5 algorithm are that it is impossible to revert back an encrypted output to the initial, plain-text input, and that any given input always maps to the same encrypted value. This ensures that the passwords stored on the server cannot be deciphered by anyone. This way, even if an attacker gains reading permission to the user table, it will do him no good.

MD5 does have its weaknesses. MD5 encryption is not infallible: if the password is not strong enough, a brute force attack can still reveal it. So, you can ask: "Why should I use MD5 if I know it is not the most secure?" The answer is fairly straightforward: it's fast, it's easy, and it can be powerful if salted. The greatest advantage of MD5 is its speed and ease of use.

It is vitally important to understand that password encryption will not protect your website, it can protect your passwords only. If your website does not have sufficient protection, password encryption will not make it safe from cracking. If your system has been cracked, a hacker can inflict a irreparable damage to it and also gain an access to confidential information, including passwords database. But if you store this information encrypted, hackers practically cannot make use of it. Cracking an encrypted password takes a large amount of time and processing power, even on today's computers.

There are no built-in MD5 functions in ASP. To enable MD5 encryption you should include md5.asp.

So, let's start. First of all, you need to add a new account to your database. The following code allows to do it.

const TBL_LOGIN  = "users_table_name"
const FLD_PASS  = "password_field_name"
const DB_NAME   = "db_name"

Dim dbconnection
Set dbConnection = server.CreateObject("ADODB.Connection")

Dim strConnection
strConnection = "PROVIDER=Microsoft.Jet.OLEDB.4.0;" & _
"Data Source=" & Server.MapPath(DB_NAME)

dbConnection.ConnectionString = strConnection
dbConnection.Open

...

function addNewUser(password)
   password = md5(password)
   SQL = "INSERT INTO " & TBL_LOGIN & " VALUES ('" & password & "')"
   dbconnection.execute SQL
end function

Now, when a new user completes the registration form, his password will be encrypted automatically.

After that we should write code that validates a given username/password pair.

function checkUserPass(password)
      
  password = md5(password)    

  'Verify that user is in database
  SQL = "SELECT password FROM ".TBL_LOGIN." WHERE username = '" & username & "'"
  Set RecordSet = dbconnection.execute(SQL)
   
  if RecordSet.eof then
     response.write("No records returned")
  else 
   
   'Retrieve password from RecordSet
   if RecordSet("password") = password then
       response.write("Success! Username and password confirmed")
   else 
      response.write("Success! Username and password confirmed")
   end if
  end if
end function

And what if you already have users' database ready and want to start using encrypted passwords? To do it, you need to write encypt.asp script with the following code and run it in your browser.

<!--#include file="md5.asp"-->
<%
const TBL_LOGIN  = "users_table_name"
const FLD_PASS  = "password_field_name"
const DB_NAME   = "db_name"

Dim dbconnection
Set dbConnection = server.CreateObject("ADODB.Connection")

Dim strConnection
strConnection = "PROVIDER=Microsoft.Jet.OLEDB.4.0;" & _
"Data Source=" & Server.MapPath(DB_NAME)

dbConnection.ConnectionString = strConnection
dbConnection.Open

Dim RecordSet
Set RecordSet = server.CreateObject("ADODB.Recordset")

Dim SQL
SQL = "SELECT * FROM " & TBL_LOGIN

RecordSet.open SQL , dbConnection,1,2

total=0
enc=0
doencrypt=false

if Request("do")="encrypt" then doencrypt=true

do  until RecordSet.eof
  if doencrypt then
    total=total+1
  
    if not encrypted(RecordSet(FLD_PASS)) then
      RecordSet(FLD_PASS)=md5(RecordSet(FLD_PASS))
      RecordSet.Update
    end if
  
    enc=enc+1
 
else
  total=total+1
  if encrypted(RecordSet(FLD_PASS)) then
    enc=enc+1
  end if
 
  RecordSet.MoveNext
loop

Recordset.Close
Set Recordset=Nothing
dbconnection.Close
Set dbconnection=Nothing

function encrypted(str)
if len(str)<>32 then
  encrypted=false
  exit function
 end if
 
 dim i
 for i=1 to 32
   c = asc(mid(str,i,1))
   if (c<asc("0") and c>asc("9")) and (c<asc("a") or c>asc("f")) then
     encrypted=false
     exit function
  end if
 next

  encrypted=true

end function
%>

<html>
<head><title>Encrypt passwords</title></head>
<body>
Total passwords in the table - <%=total %><br>
<% if enc=total and total>0 then %>
All passwords are encrypted.
<% elseif total>0 then %>
Unencrypted - <%=(total-enc)%><br><br>
Click "GO" to encrypt <%=(total-enc) %> passwords.<br>
WARNING! There will be no way to decipher the passwords.<br>
<input type=button value="GO" onclick="window.location='encrypt.asp?do=encrypt';">
<% end if %>
</body>
</html>

See also, article How to encrypt passwords in the database with PHP code examples.

Back to top



Copyright © 2005-2007 www.WebCheatSheet.com All Rights Reserved.