Problem solve Get help with specific problems with your technologies, process and projects.

This tip explores how to write a very simple function that will both encrypt and decrypt passwords.

If you've ever written an application that stores passwords, you'll know the importance of encryption. There's...

no point in password protecting things if all a user has to do is open a file or database to get all of the stored passwords.

It is possible, however, to write a very simple function that will both encrypt and decrypt passwords. Simply pass the function the string you wish to encrypt, and a short key (to make it harder to break your encryption), and it will return the encrypted version. Pass it the encrypted version, and it will translate it back into plain text. Enjoy.

```Private Function Encrypt(ByVal strInput As String, ByVal strKey As
String) As
String
Dim iCount As Long
Dim lngPtr As Long
For iCount = 1 To Len(strInput)
Mid(strInput, iCount, 1) = Chr((Asc(Mid(strInput, iCount, 1)))
Xor
(Asc(Mid(strKey, lngPtr + 1, 1))))
lngPtr = ((lngPtr + 1) Mod Len(strKey))
Next iCount
Encrypt = strInput
End Function
```

"Your advice on encrypting passwords could lead to inadvertant disclosure of those passwords. Fundamentaly, your algorithm is the same stream encryption used by Germany in World War II, but you have omitted all of the essential elements which make it safe to use, specifically key length, key strength and key variation. You have implemented a symetric encryption algorithm, but because it uses a fixed length, static key, it has may of the same defects that the "Unbreakable Cipher" had (Charles Babbage broke that one). That is, it is relatively easy to spot repeated sequences and deduce the key length. From there, each column can be treated as a fixed substitution cipher and broken individually to obtain the original keyword.

"Further advantage can be taken because the average user will choose a word as a key, not a string of pseudo-random characters. Worse, because the cipher is symetric, the application can retrieve the original passwords (you introduce this as a cipher to encrypt passwords). If you can do it, then a hacker can also do it. Break one password with this method and you have broken them all.

"Professional software needs to prevent this, which is normally done by using the password itself as the key to encrypt a secret value. When users attempt to logon, the client repeats the process and tests the result against the stored value. If they are the same, then the user had the right password. Even if a hacker breaks one password, they don't have any of the others. I hope you pass this advice on to your readers, and I suggest they consult some of the many references on the Web."

This was last published in February 2001

Start the conversation

Send me notifications when other members comment.

SearchCloudSecurity

• Are Amazon certificate authority services trustworthy?

AWS now operates as its own CA. What are the potential risks of the new Amazon certificate authority services? Expert Dave ...

• How to prevent cloud cryptojacking attacks on your enterprise

As the value of bitcoin has risen over the last year, so has the prevalence of cloud cryptojacking attacks. Expert Rob Shapland ...

• Developing a robust data protection procedure for the cloud

How should the use of cloud services affect your data retention, deletion and archiving practices? Find out what guidelines ...

SearchNetworking

• What makes networking automation so difficult?

Analysts focus on networking automation and the problems facing it, as well as gaming trends that could affect 5G deployment ...

• IDC, Cisco survey assesses future IT staffing needs

New IDC survey on digital transformation's effects on future IT staffing outline technology trends affecting IT hiring and 20 ...

• Private CDN services fill specific needs for some businesses

In addition to shared CDN service options, private CDNs with dedicated edge servers are the obvious answer for businesses with ...

SearchCIO

• Artificial intelligence center of excellence emerges as best practice

One way for enterprises to get a grip on an AI strategy that makes sense for them is to establish an artificial intelligence ...

• Indeed.com releases top 10 most in-demand CIO skills

Job site Indeed.com has released a list of the most in-demand skills for today's CIOs, based on job postings. Experts I talked to...

• Rue La La CTO: Don't let data poisoning impair business health

If not treated properly, data can corrupt agendas, spur endless arguments and narrow thinking, the e-commerce company's Anthony ...

SearchEnterpriseDesktop

• Seven factors that make up an effective email phishing test

The best way for IT to improve email phishing security is through comprehensive testing, which helps identify which users are ...

• Citrix Analytics service brings hope for better security

As it becomes more difficult to monitor and secure applications and data, Citrix's security analytics platform is getting more ...

• Citrix Workspace app holds potential, raises questions

At Synergy 2018, Citrix introduced a new secure digital workspace that provides users unified access to their virtual desktops ...

SearchCloudComputing

• Azure Availability Zones enable more resilient cloud apps

'Downtime' is a dreaded word for mission-critical applications. Learn how availability zones in Azure can promote uptime and keep...

• Cloud certifications play supporting role in IT hiring decisions

Certifications that are specific to a particular cloud provider are a great way for IT professionals to grow their foundational ...

• In a serverless architecture age, infrastructure still matters

Sorry, developers, but infrastructure still matters, even as serverless architectures and containers diminish its central role to...

ComputerWeekly.com

• Two chiefs, two approaches to digital transformation

While the definition of digital transformation is debatable, IT business leaders agree it's all about the data

• Former Macedonian PM convicted in corruption case exposed by illegal government surveillance

Information exposed by leaked recordings that were part an illegal mass surveillance campaign orchestrated under the government ...

• London CDO: More groundwork needed to gain trust for data use

London’s chief digital officer, Theo Blackwell, says organisations need to do more groundwork if a smarter city is to be real ...

Close