Problem solve Get help with specific problems with your technologies, process and projects.

## This tip explores how to write a very simple function that will both encrypt and decrypt passwords.

If you've ever written an application that stores passwords, you'll know the importance of encryption. There's no point in password protecting things if all a user has to do is open a file or database to get all of the stored passwords.

It is possible, however, to write a very simple function that will both encrypt and decrypt passwords. Simply pass the function the string you wish to encrypt, and a short key (to make it harder to break your encryption), and it will return the encrypted version. Pass it the encrypted version, and it will translate it back into plain text. Enjoy.

```Private Function Encrypt(ByVal strInput As String, ByVal strKey As
String) As
String
Dim iCount As Long
Dim lngPtr As Long
For iCount = 1 To Len(strInput)
Mid(strInput, iCount, 1) = Chr((Asc(Mid(strInput, iCount, 1)))
Xor
(Asc(Mid(strKey, lngPtr + 1, 1))))
lngPtr = ((lngPtr + 1) Mod Len(strKey))
Next iCount
Encrypt = strInput
End Function
```

"Your advice on encrypting passwords could lead to inadvertant disclosure of those passwords. Fundamentaly, your algorithm is the same stream encryption used by Germany in World War II, but you have omitted all of the essential elements which make it safe to use, specifically key length, key strength and key variation. You have implemented a symetric encryption algorithm, but because it uses a fixed length, static key, it has may of the same defects that the "Unbreakable Cipher" had (Charles Babbage broke that one). That is, it is relatively easy to spot repeated sequences and deduce the key length. From there, each column can be treated as a fixed substitution cipher and broken individually to obtain the original keyword.

"Further advantage can be taken because the average user will choose a word as a key, not a string of pseudo-random characters. Worse, because the cipher is symetric, the application can retrieve the original passwords (you introduce this as a cipher to encrypt passwords). If you can do it, then a hacker can also do it. Break one password with this method and you have broken them all.

"Professional software needs to prevent this, which is normally done by using the password itself as the key to encrypt a secret value. When users attempt to logon, the client repeats the process and tests the result against the stored value. If they are the same, then the user had the right password. Even if a hacker breaks one password, they don't have any of the others. I hope you pass this advice on to your readers, and I suggest they consult some of the many references on the Web."

This was last published in February 2001

#### Start the conversation

Send me notifications when other members comment.

## SearchCloudSecurity

• ### Google Cloud security gets boost with Secret Manager

Google Cloud's new Secret Manager service augments its cloud security capabilities with an eye toward the needs of DevOps teams.

• ### Microsoft misconfiguration exposed 250M customer service records

Microsoft exposed 250 million customer support records on five Elasticsearch servers that had misconfigured Azure security rules,...

• ### Lyft's open source asset tracking tool simplifies security

Security teams need information and context about data in order to keep it safe. Learn how Cartography, Lyft's open source asset ...

## SearchNetworking

• ### Build a source of truth into your network automation strategy

Many network automation approaches rely on a source of truth repository to provide data on network behavior. But building this ...

• ### SD-WAN explained: The ultimate guide to SD-WAN architecture

Evaluating SD-WAN architecture can be confusing, especially as the market grows. This guide helps IT pros learn SD-WAN basics, ...

• ### VMware acquisition of Nyansa combines LAN, WAN analytics

The VMware acquisition of Nyansa is expected to provide network traffic analytics that cover the SD-WAN and the wired and ...

## SearchCIO

• ### How IoT, 5G, RPA and AI are opening doors to cybersecurity threats

In the second part of a series on CIOs preparing for cyberthreats in 2020, we look at how emerging technologies like IoT and the ...

• ### Preparing for the new forms of cybersecurity threats in 2020

In the first part of a series on the new forms of cyberthreats in 2020, we're diving into the many infiltration points being ...

• ### What is the state of CIO tenure today?

CIO tenure remains significantly lower than other C-suite positions, and according to experts, it's a result of the age of ...

## SearchEnterpriseDesktop

• ### Windows 7 sunset gives PC market a boost in 2019

Does the growth of the PC market in 2019 reflect an increased appetite for the devices? Experts discuss the PC's role in the ...

• ### EG Enterprise v7 focuses on usability, user experience monitoring

New features in EG Enterprise v7, set to launch soon, enable simulated and real user monitoring, automated diagnosis and new ...

• ### Managing Windows Defender Device Guard in Windows desktops

IT pros must understand how Windows Defender Device Guard uses a locked-down approach to desktop security and how this method ...

## SearchCloudComputing

• ### 5 cloud database comparison tips to guide your data strategy

Catch up on these tips that compare the strengths, weakness and available integrations of popular public cloud database and ...

• ### Reduce cloud latency for remote employees and offices

Latency remains an issue for cloud users with remote facilities. See how SD-WAN and satellites can improve network performance ...

• ### AWS multi-account management best practices with Control Tower

With the help of AWS Control Tower, organizations who own and operate multiple cloud accounts can manage them all under one roof ...

## ComputerWeekly.com

• ### Openreach connecting 26,000 premises a week to full-fibre network

UK national broadband infrastructure provider ramps up programme to deliver full-fibre to 200 locations, mainly towns and ...

• ### Government tightens law around IoT cyber security

New legislation developed by DCMS and the NCSC may help guarantee the security and privacy of users of consumer IoT devices

• ### NHS Digital completes first two major service migrations to the AWS cloud

The digital arm of the National Health Service confirms the system moves are the first of many service migrations it is planning ...

Close