## This tip explores how to write a very simple function that will both encrypt and decrypt passwords.

If you've ever written an application that stores passwords, you'll know the importance of encryption. There's...

no point in password protecting things if all a user has to do is open a file or database to get all of the stored passwords.

It is possible, however, to write a very simple function that will both encrypt and decrypt passwords. Simply pass the function the string you wish to encrypt, and a short key (to make it harder to break your encryption), and it will return the encrypted version. Pass it the encrypted version, and it will translate it back into plain text. Enjoy.

```Private Function Encrypt(ByVal strInput As String, ByVal strKey As
String) As
String
Dim iCount As Long
Dim lngPtr As Long
For iCount = 1 To Len(strInput)
Mid(strInput, iCount, 1) = Chr((Asc(Mid(strInput, iCount, 1)))
Xor
(Asc(Mid(strKey, lngPtr + 1, 1))))
lngPtr = ((lngPtr + 1) Mod Len(strKey))
Next iCount
Encrypt = strInput
End Function
```

"Your advice on encrypting passwords could lead to inadvertant disclosure of those passwords. Fundamentaly, your algorithm is the same stream encryption used by Germany in World War II, but you have omitted all of the essential elements which make it safe to use, specifically key length, key strength and key variation. You have implemented a symetric encryption algorithm, but because it uses a fixed length, static key, it has may of the same defects that the "Unbreakable Cipher" had (Charles Babbage broke that one). That is, it is relatively easy to spot repeated sequences and deduce the key length. From there, each column can be treated as a fixed substitution cipher and broken individually to obtain the original keyword.

"Further advantage can be taken because the average user will choose a word as a key, not a string of pseudo-random characters. Worse, because the cipher is symetric, the application can retrieve the original passwords (you introduce this as a cipher to encrypt passwords). If you can do it, then a hacker can also do it. Break one password with this method and you have broken them all.

"Professional software needs to prevent this, which is normally done by using the password itself as the key to encrypt a secret value. When users attempt to logon, the client repeats the process and tests the result against the stored value. If they are the same, then the user had the right password. Even if a hacker breaks one password, they don't have any of the others. I hope you pass this advice on to your readers, and I suggest they consult some of the many references on the Web."

This was last published in February 2001

## Content

Find more PRO+ content and other member only offers, here.

#### Start the conversation

Send me notifications when other members comment.

## SearchCloudSecurity

• ### How to prepare for a cloud DDoS attack on an enterprise

Suffering a cloud DDoS attack is now more likely than ever. Expert Frank Siemons discusses what enterprises need to know about ...

• ### Ownership of cloud risks gets lost in many cloud computing scenarios

CISOs ensure that cloud services comply with IT security and risk management policies. But who has executive oversight of ...

• ### Cloud incident response: What enterprises need to include in a plan

A cloud incident response plan can be difficult to assemble. Expert Rob Shapland discusses the basics of what to include in a ...

## SearchNetworking

• ### Arista, Brocade intro better spine, leaf switches for the data center

Arista and Brocade have introduced spine and leaf switches. Arista has focused on performance; Brocade has added network ...

• ### Amazon Snowball Edge a possible threat to server, network vendors

Amazon Snowball Edge, a server-like IoT device, could eventually pose a threat to server and networking vendors, which are ...

• ### Using BLE beacons and Wi-Fi technology for device tracking

BLE beacons and Wi-Fi technology promise enormous potential for accuracy in location and tracking of wireless devices. But is one...

## SearchCIO

• ### Record-busting online holiday sales and the rise of the omnishopper

Record online holiday sales foretell the arrival of conversational commerce, digital humanism and the omnishopper. Also: AWS goes...

• ### Will AR and VR tech revolutionize digital business management?

In this issue of CIO Decisions, we explore how virtual reality and augmented reality technologies could quickly become integral ...

• ### AR, VR tech poised to revolutionize digital business management

We've all seen footage of astronauts being trained for space travel in virtual environments, and many of us were sucked into the ...

## SearchConsumerization

• ### Android, Windows tablets from HP take aim at business users

HP released a new line of tablets targeting business users. The HP Pro Slate 8 and Pro Slate 12 run Android and cost \$449 and ...

• ### Microsoft to lay off 18,000, Nokia X moves to Windows Phone

Microsoft will lay off 18,000 people over the next year while the Nokia X line of Android smartphones, which was unveiled earlier...

• ### Microsoft Surface Pro 3 vs. Microsoft Surface Pro 2

Surface Pro 2 and Surface Pro 3 are different enough that Microsoft is keeping both on the market as competing products. Which ...

## SearchEnterpriseDesktop

• ### Experts predict the future of Windows 10 and the Creators Update

Three experts share their thoughts on what's next for enterprise desktop admins in 2017, including what to expect from Windows 10...

If admins notice any issues with tasks running on Windows, they can turn to NirSoft's TaskSchedulerView to pinpoint the culprit ...

• ### Four ways to squeeze more juice into the Windows 7 lifecycle

Windows 7 is not dead. There are many reasons IT keeps it around. To make the OS perform well, admins must modernize it and make ...

## SearchCloudComputing

• ### Multicloud computing bliss not yet a reality for all IT shops

Experts predict multicloud computing will be a top enterprise trend in 2017, but some cloud users question whether the touted ...

• ### Perform a PaaS pricing comparison for public cloud

When choosing a platform, enterprises need to focus on features and prices for Azure, Google and AWS. Take a look under the hood ...

• ### Cloud orchestration tools become a must-have for hybrid IT

Some IT shops try to force-fit legacy orchestration tools to cloud -- but that can backfire. Instead, evaluate new orchestration ...

## ComputerWeekly

• ### Google to hit 100% renewable energy target for datacentres in 2017

Google claims to be on course to hit its 100% renewable energy pledge in 2017 by ramping up its acquisition of green power sources

• ### Dailymotion breach prompts calls for password alternatives

The latest breach of millions of user details prompts fresh calls for better security of user data and an alternative to passwords

• ### Equinix to acquire 29 datacentres from Verizon for \$3.6bn

Colocation giant Equinix hits the acquisition trail once more, as it continues on its quest to expand its global datacentre ...

Close