If you've ever written an application that stores passwords, you'll know
the importance of encryption. There's no point in password protecting things if all a user has to do is open a file or database to get all of the stored passwords.
It is possible, however, to write a very simple function that will both
encrypt and decrypt passwords. Simply pass the function the string you wish to encrypt, and a short key (to make it harder to break your encryption), and it will return the encrypted version. Pass it the encrypted version, and it will translate it back into plain text. Enjoy.
Private Function Encrypt(ByVal strInput As String, ByVal strKey As
String) As
String
Dim iCount As Long
Dim lngPtr As Long
For iCount = 1 To Len(strInput)
Mid(strInput, iCount, 1) = Chr((Asc(Mid(strInput, iCount, 1)))
Xor
(Asc(Mid(strKey, lngPtr + 1, 1))))
lngPtr = ((lngPtr + 1) Mod Len(strKey))
Next iCount
Encrypt = strInput
End Function
Reader Comments
"Your advice on encrypting passwords could lead to inadvertant disclosure of those passwords. Fundamentaly, your algorithm is the same stream encryption
used by Germany in World War II, but you have omitted all of the
essential elements which make it safe to use, specifically key length, key strength and key variation. You have implemented a symetric encryption
algorithm, but because it uses a fixed length, static key, it has may
of the same defects that the "Unbreakable Cipher" had (Charles Babbage
broke that one). That is, it is relatively easy to spot repeated
sequences and deduce the key length. From there, each column can be
treated as a fixed substitution cipher and broken individually to obtain
the original keyword.
"Further advantage can be taken because the average
user will choose a word as a key, not a string of pseudo-random
characters. Worse, because the cipher is symetric, the application can
retrieve the original passwords (you introduce this as a cipher to
encrypt passwords). If you can do it, then a hacker can also do it.
Break one password with this method and you have broken them all.
"Professional software needs to prevent this, which is normally done by
using the password itself as the key to encrypt a secret value. When
users attempt to logon, the client repeats the process and tests the
result against the stored value. If they are the same, then the user had
the right password. Even if a hacker breaks one password, they don't
have any of the others. I hope you pass this advice on to your readers, and I suggest they consult some of the many references on the Web."
