Encrypt Your Password Database with a One-way Hash (2024)

A one-way hash function is a cryptographicalgorithm that turns an arbitrary-length input into a fixed-length binary value,and this transformation is one-way, that is,given a hash value it is statistically infeasible tore-create a document that would produce this value.There are three widely used hash algorithms: MD4, MD5, and SHA. MD4 and MD5 produce 128-bit hashes, and SHA a 160-bit hash.

Although the main purpose of hash functions in cryptography is to produce digital signatures, they can also be used to protect passwords in a user database. The idea is to store the hash values of passwords instead of the passwords themselves. To validateuser credentials, the hash function is applied to the password submittedby a user and the resulting value is compared with the hashed password stored in the database.If the hashes match the user is authenticated. This way, even is the user database falls intothe wrong hands it will be hard for the intruder to recover the actual user passwords.

With AspEncrypt, a hash function is computed in three steps:

1. Create a CryptoHash object.
2. Add a text string or file to it. This step may be repeated several times.
3. Retrieve the result in a desired format.

<%
Set CM = Server.CreateObject("Persits.CryptoManager")
Set Context = CM.OpenContext("", True)
Set Hash = Context.CreateHash
Hash.AddText "some text"
Response.Write Hash.Value.Hex
%>

The CreateHash method accepts an optional HashAlgorithm argument. It is calgSHA by default.

The Hash.Value property returns a CryptoBlob object containing the computed hash value. This blob object can be queried using the Hex, Base64 or Binary properties as described in previous sections.

Even a hash-encrypted password database is not entirely secure. A hackercan compile a list of, say, 1,000,000 most commonly usedpasswords and compute a hash function from all of them. He can then get hold of your user account database and compare the hashed passwords in the database withhis own list to see what matches. This is a "Dictionary Attack"and it can be very successful.

To make the dictionary attack more difficult, salt is used. Salt isa random string that is concatenated with passwords before being operated onby the hash function. The salt value is then stored in the user database together with the result of the hash function. Using salt makes dictionary attackspractically impossible as a hacker would have to compute the hashes for all possible salt values. However, salt does not help make attacks on individual passwords any harder,therefore it is important to use passwords that are hard to guess.

The sample MS Access database shipped with the product contains the tableUsers which has three fields: Username, Password and Salt. The following ASP code(also found in the file Samples\Passwords\AddUser.asp of the installation)allows you to add a user account to the Users table. Salt is calculatedby concatenating together 10 random characters between 'A' and 'Z'.

<HTML>
<BODY>
<%
If Request("Create") <> "" Then
If Request("Password") = Request("Password2") Then
' Generate random salt (10 characters)
Randomize
Salt = ""
For i = 1 to 10
Salt = Salt & chr(int(Rnd * 26) + 65) '65 is ASCII for "A"
Next

' Calculate Hash of Password + Salt
Set CM = Server.CreateObject("Persits.CryptoManager")
Set Context = CM.OpenContext("", True)
Set Hash = Context.CreateHash
Hash.AddText Request("Password") & Salt
HashValue = Hash.Value.Hex

' Save username, hashed value and salt in the database
set Conn = Server.CreateObject("adodb.connection")
Conn.Open "DSN=AspEncrypt;UID=;PWD=;"
SQL = "insert into Users(Username, Password, Salt) _
values('" & Request("Username") & "','" & HashValue & "','" & Salt & "')"
Conn.Execute SQL

Response.Write "Account was successfully created."
Else
Response.Write "Password was not correctly confirmed."
End If
End If
%>

<FORM ACTION="AddUser.asp" METHOD="POST">
Username:<INPUT TYPE="TEXT" NAME="Username">
Password:<INPUT TYPE="PASSWORD" NAME="Password">
Confirm Password:<INPUT TYPE="PASSWORD" NAME="Password2">
<INPUT TYPE="Submit" NAME="Create" VALUE="Create Account">
</FORM>

</BODY>
</HTML>

The following code snipped (also found in the file Samples\Passwords\Validate.asp) validatesa submitted username/password pair against the Users database.

<HTML>
<BODY>
<%
If Request("ValidateIt") <> "" Then
' Obtain user record (hashed value and salt) by username
set rs = Server.CreateObject("adodb.recordset")
SQL = "select password, salt from Users _
where Username = '" & Request("Username") & "'"
rs.Open SQL, "DSN=AspEncrypt;UID=;PWD=;"
If Not rs.EOF Then
HashValue = rs("Password")
Salt = rs("Salt")

' Calculate Hash of specified password + Salt from DB
Set CM = Server.CreateObject("Persits.CryptoManager")
Set Context = CM.OpenContext("", True)
Set Hash = Context.CreateHash
Hash.AddText Request("Password") & Salt
HashValue2 = Hash.Value.Hex

If HashValue = HashValue2 Then
Response.Write "Account was successfully validated."
Else
Response.Write "Invalid Password."
End If
Else
Response.Write "User not found."
End If
End If
%>

<FORM ACTION="Validate.asp" METHOD="POST">
Username:<INPUT TYPE="TEXT" NAME="Username">
Password:<INPUT TYPE="PASSWORD" NAME="Password">
<INPUT TYPE="Submit" NAME="ValidateIt" VALUE="Validate Account">
</FORM></BODY>
</HTML>