Classic ASP Password Hash

Hello All,

I've been tasked with hashing passwords for a classic ASP application. I've googled, but I'm a little confused as to how to do this...

Any ideas?

Thanks
garethtnashAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
Hashing means  you are converting a string of data to a new fixed length string that is difficult to reverse engineer http://en.wikipedia.org/wiki/Cryptographic_hash_function.  As you read up on this subject, you will see as computers and GPU's become more powerful, what was once thought to be impossible is not possible within a few hours.

Let's use SHA2 http://en.wikipedia.org/wiki/SHA-2

Classic ASP does not have these functions built in and I have included the code.  Simply include the code below in your website.  Assume you have it top level and you named the file SHA256.asp then you would include it in your page and call it as a function.

<!--#include virtual="/SHA256.asp"-->
password="abc123"
hashPassword=sha256(password)
' a little more secure or adding salt
hash2Password=sha256(password&"secretword")

Open in new window


To use this to test if a password is good, let's assume you you did not salt your password.
<!--#include virtual="/SHA256.asp"-->
' The password that is stored in the db is already hashed rs("passsword")
' The password entered in the form is not going to be hashed so we need to hash it and match it against what is stored in the db

if sha256(request.form("password"))=rs("password") then
     ' we have a match
end if

Open in new window




Save this code as SHA256.asp and include it in your asp page.
edit: I just read the license and it can't be posted here as a demo.  You can download the sha256.asp code here http://www.frez.co.uk/vb6.aspx
1
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
0
garethtnashAuthor Commented:
Hi Padas,

Thanks for your help. Your solution works nicely.

However the application that is expecting the passwords, is expecting values like '-1347148158'

I'm guessing that isn't SHA256?

Thanks
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

garethtnashAuthor Commented:
Hi Padas,

One more question,.. sorry!

Should you stored the hashed value on the database or use

sha256(request("password")) = sha256(recordset("password"))

The reason I ask, is how do you deal with sending the password back to the user 'forgotten password reminder'

Thanks
0
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
Is 1347148158 the current password?  The hashing algorithms I know of are going to give you alpha numeric.

If the current password is  1347148158, you will need to run a script to update all the passwords to their hashed value.  I would back up first of course.  

The sha256 value of 1347148158  is b514f82238bdd615c6fa07ca54cfcaa6c0e0e8830b394a907b700d8726ce19cd and you would need to store the longer value into the password field.
0
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
>The reason I ask, is how do you deal with sending the password back to the user 'forgotten password reminder'

Very good question.  

A hash like this is one way. Meaning once you convert it, there is not easy way to reverse engineer as I have pointed out http:a39554814.

You need to convert all the old passwords to sha256.  If your db is compromised, all this is doing is preventing somebody from knowing what the actual password is that the user types in.  They would still see the sha256 version of the password which is the actual password now.

Where the user used to enter in "1347148158" and you would match that do your db, now the user still types in "1347148158".  However, this will no longer match the password in the db once you convert all the passwords to sha256.   So you have to match by taking the user input  and convert that to sha256 in order to match against the password stored in the db.

If somebody forgets their password, there is no returning the  password they used to use because the hash is one way.  So now you need to send them a new password or temporary password they can change on their own.  It's up to you if you want to let them use the same value or not.  Again, the only way you can test if the value is the same is by converting their input to sha256.

It will be a new way of thinking.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
garethtnashAuthor Commented:
Thanks Padas, Great stuff
0
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
Thank you.

There are other hash types as well and there is a good list of hash and Ciphers https://code.google.com/p/crypto-js/  These are all in javascript and for the most part, you want to do this serverside.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP

From novice to tech pro — start learning today.