We all know that passwords can not be treated like any other data that is being sent to the database. We need to protect it from watching eyes. To do this, we use encryption.
MD5 encryption is a one of the famous hashing algorithm. Two important properties of the MD5 algorithm are that it is impossible to revert back an encrypted output to the initial, plain-text input, and that any given input always maps to the same encrypted value. This ensures that the passwords stored on the server cannot be decrypted by anyone. This way, even if an attacker gains reading permission to the user table, he will have tough time.
MD5 does have its weaknesses. MD5 encryption is not infallible: if the password is not strong enough, a brute force attack can still reveal it. So, you can ask: “Why should I use MD5 if I know it is not the most secure?” The answer is fairly straightforward: it’s fast, it’s easy, and it can be powerful if salted. The greatest advantage of MD5 is its speed and ease of use.
It is vitally important to understand that password encryption will not protect your website, it can protect your passwords only. If your website does not have sufficient protection, password encryption will not make it safe from cracking. If your system has been cracked, a hacker can inflict a irreparable damage to it and also gain an access to confidential information, including passwords database. But if you store this information encrypted, hackers practically cannot make use of it. Cracking an encrypted password takes a large amount of time and processing power, even on today’s computers.
let’s start. First of all, you need to add a new account to your database. The following code allows to do it.
const TBL_LOGIN = "users_table_name" const FLD_PASS = "password_field_name" const DB_NAME = "db_name" Dim dbconnection Set dbConnection = server.CreateObject("ADODB.Connection") Dim strConnection strConnection = "PROVIDER=Microsoft.Jet.OLEDB.4.0;" & _ "Data Source=" & Server.MapPath(DB_NAME) dbConnection.ConnectionString = strConnection dbConnection.Open ... function addNewUser(password) password = md5(password) SQL = "INSERT INTO " & TBL_LOGIN & " VALUES ('" & password & "')" dbconnection.execute SQL end function
Now, when a new user completes the registration form, his password will be encrypted automatically.
After that we should write code that validates a given username/password pair.
function checkUserPass(password) password = md5(password) <span class="comment">'Verify that user is in database</span> SQL = "SELECT password FROM ".TBL_LOGIN." WHERE username = '" & username & "'" Set RecordSet = dbconnection.execute(SQL) if RecordSet.eof then response.write("No records returned") else <span class="comment"> 'Retrieve password from RecordSet</span> if RecordSet("password") = password then response.write("Success! Username and password confirmed") else response.write("Success! Username and password confirmed") end if end if end function
I hope you find this article useful. Please take time to comment your opinion.