hi all ...
Anyone can help that how can i encrypt / decrypt password field residing in user registration table ... The database is Ms ACCESS and Script is ASP.

cheers!

Well, you can purchase an encryption method -- or, you can write your own. If you'd like to write your own, then you must decide what encryption method you wish to use. Just as an example:

<%
' A Vernam Cipher in ASP
'
' You may customize the following constant value, if desired
' You may also customize the file name and location for the key
'
Const g_KeyLen = 512
Dim g_KeyFile
g_KeyFile = Server.MapPath("crypto/crypto.txt")
'
Function DeCrypt(strEncrypted, strKey)
Dim i ,strClearText
strClearText = ""
for i = 1 to Len(strEncrypted)
strClearText = strClearText & Chr(Asc(mid(strKey,i,1)) Xor Asc(mid(strEncrypted,i,1)))
next
DeCrypt = strClearText
End Function
'
Function EnCrypt(strClearText, strKey)
Dim i, strEncrypted
strEncrypted = ""
for i = 1 to Len(strClearText)
strEncrypted = strEncrypted & Chr(Asc(mid(strKey,i,1)) Xor Asc(mid(strClearText,i,1)))
next
EnCrypt = strEncrypted
End Function
'
Function GenKey(iKeyLength)
Dim i, strMyKey, lowerbound, upperbound
lowerbound = 35
upperbound = 96
Randomize ' Initialize random-number generator.
for i = 1 to iKeyLength
strMyKey = strMyKey & Chr(Int(((upperbound - lowerbound) + 1) * Rnd + lowerbound)) & ""
next
GenKey = strMyKey
End Function
'
Function ReadKeyFromFile(strFileName)
Dim fso, keyFile, txtStream, strKey
set fso = Server.CreateObject("Scripting.FileSystemObject")
If Not fso.FileExists(strFileName) Then
On Error Resume Next
Call WriteKeyToFile(GenKey(g_KeyLen), strFileName)
if Err <> 0 Then
Response.Write "<p>Error Generating Key: Err# = " & Err.Number & ",<br>" & vbCrLf
Response.Write "Desc: " & Err.Description & "</p>" & vbCrLf
End If
On Error Goto 0
End If
set keyFile = fso.GetFile(strFileName)
set txtStream = keyFile.OpenAsTextStream(1, -2)
strKey = txtStream.ReadAll
txtStream.Close
set txtStream = Nothing
set keyFile = Nothing
set fso = Nothing
ReadKeyFromFile = strKey
End Function
'
Sub WriteKeyToFile(strKey, strFileName)
Dim fso, keyFile
set fso = Server.CreateObject("scripting.FileSystemObject")
set keyFile = fso.CreateTextFile(strFileName, true)
keyFile.Write(strKey)
keyFile.Close
set keyFile = Nothing
set fso = Nothing
End Sub
'
Dim g_Key
g_Key = ReadKeyFromFile(g_KeyFile)
%>

Thnx for a quick reply ...

I have some security problems on website so i will block FSO on server ... and for this reason I cant use the text files ...

How can we use this vernam cipher to save and retrive teh passwords in MS ACCESS.

Cheers!!!

Instead of storing the key in a text file, you can just store it in the database. As for usage... The following is just one example:

sql = "SELECT per_username " & _
" FROM TBL_PERSON " & _
" WHERE per_username='" & Replace(valUsername,"'","''") & "'" & _
" AND per_password='" & EnCrypt(Request.Form("pass"), g_Key) & "';"

'Function ReadKeyFromFile()' will read the key from the text file .... Where i sould store this key as i dont want to use FSO ...

And will that key Derypt the Ecrypted text as it was before ?

Thnx for help. I really appreciate.

As I said, you can change from using FSO to using ADO and store/retrieve the key from a database. Otherwise, yes, the Decrypt() function will decrypt any text encrypted via the Encrypt() function. However, using the method shown and following standard security procedures for passwords, you should never have to use the Decrypt function. Meaning, you place a new password into the database using the Encrypt function and you compare for a matching password using the Encrypt function. According to standard security procedures for passwords, you should never decrypt the original password from the database. If someone needs a new password, you verify who they are by other means and merely reset their password so that they can sign on and supply a new password themselves. Of course, that is up to you. ;) For other text, yes, the Decrypt function is a necessity.

It was really helpful and u increased my knowledge aswell... Thanks for the help.

one thing .... Dont u think that its dangerous to store key somewhere in database and specialy when its MS-ACCESS.
Because yesterday i got to know that somebody downloaded my database from the server using FSO. I have file uploading facility on server, Person uploaded an ASP file and ran it coz the physical path of the file is displayed in status bar while downloading the file. Unfortunately I didnt block the ASP/PHP/.net files to get upload ....

Dunno how to do ..... any idea ?

Once again thnx for ur help.

Dont u think that its dangerous to store key somewhere in database and specialy when its MS-ACCESS.
A solution is to remove the Encrypt/Decrypt functions from ASP and make them part of a COM object. Such a COM object can easily be written using Classic VB6, for example, to create an ActiveX DLL which you can instantiate and execute from within your ASP code. Thus, the key would be removed from ASP's knowledge as well and completely managed by the COM object. There are also other Encrypt/Decrypt methods that don't use a key. It is generally thought that these are more easily decipherable than key methods, though.

For a little more information about COM objects, see this thread:

http://www.webdeveloper.com/forum/showthread.php?t=64822

Thnx for some more knowledge ...

But my Hosintg Compnay doesnt support COM objects. Will find out any other hosting company in a day or too ...

Following is the URL of my website ... Plz have a look at it ... and tell me with your expereince that CAN U FIND SOME MISTAKES THAT CAN BREAK THE SECURITY of website ...

http://www.preston.ae/

username to login:demo
password to login:demo

And plz if u find any security threat then better to Email me, as soon as I fix the problem I will post the problem with solution as a THREAD myself. My Email ID is rafi79@gmail.com

Thanks and Regrads.