If you've ever written an application that stores passwords, you'll know the importance of encryption. There's no point in password protecting things if all a user has to do is open a file or database to get all of the stored passwords.
It is possible, however, to write a very simple function that will both encrypt and decrypt passwords. Simply pass the function the string you wish to encrypt, and a short key (to make it harder to break your encryption), and it will return the encrypted version. Pass it the encrypted version, and it will translate it back into plain text. Enjoy.
Private Function Encrypt(ByVal strInput As String, ByVal strKey As String) As String Dim iCount As Long Dim lngPtr As Long For iCount = 1 To Len(strInput) Mid(strInput, iCount, 1) = Chr((Asc(Mid(strInput, iCount, 1))) Xor (Asc(Mid(strKey, lngPtr + 1, 1)))) lngPtr = ((lngPtr + 1) Mod Len(strKey)) Next iCount Encrypt = strInput End Function
"Your advice on encrypting passwords could lead to inadvertant disclosure of those passwords. Fundamentaly, your algorithm is the same stream encryption used by Germany in World War II, but you have omitted all of the essential elements which make it safe to use, specifically key length, key strength and key variation. You have implemented a symetric encryption algorithm, but because it uses a fixed length, static key, it has may of the same defects that the "Unbreakable Cipher"
had (Charles Babbage broke that one). That is, it is relatively easy to spot repeated sequences and deduce the key length. From there, each column can be treated as a fixed substitution cipher and broken individually to obtain the original keyword.
"Further advantage can be taken because the average user will choose a word as a key, not a string of pseudo-random characters. Worse, because the cipher is symetric, the application can retrieve the original passwords (you introduce this as a cipher to encrypt passwords). If you can do it, then a hacker can also do it. Break one password with this method and you have broken them all.
"Professional software needs to prevent this, which is normally done by using the password itself as the key to encrypt a secret value. When users attempt to logon, the client repeats the process and tests the result against the stored value. If they are the same, then the user had the right password. Even if a hacker breaks one password, they don't have any of the others. I hope you pass this advice on to your readers, and I suggest they consult some of the many references on the Web."
This was first published in February 2001