Hashing Passwords in ASP

Passwords should be encrypted and stored in the database in an encrypted state. The function is not reversible, so there is no way to take the result and reverse it into the password. You will need to recreate the password with a new one. This is not high-level encryption, but it will slow people down. The password is always sent from the user inputpage to the page encrypting it. Somewhere in between the password *could* be intercepted. Using SSL to process logins will prevent the password from being intercepted.

This function gives a quick and easy way to hash a password into a non-human readable form. This means it is safer to store in a database, and should the database be viewed by anyone who shouldn't know the passwords, it will be much more difficult for them to work out what a user's password is.

<%
Function encrypt(x1, x2)
    s = ""
    t = 0
    For i = 1 to len(x1)
        t = t + asc(mid(x1,i,1))
    Next
    For i = 1 to len(x2)
        y = (t + asc(mid(x2,i,1)) * asc(mid(x2,((i+1) mod len(x2)+1),1))) mod 255
        s = s & chr(y)
    Next
    For i = (len(x2) + 1) to 10
        If t>598.8 Then t = 598.8
        y = t^3*i mod 255
        s = s & chr(y)
    Next
    encrypt = s
End Function
%>

This particular example uses the passed varialbe x1 as a salt to the second variable passed, x2. Passing 'username','password1' to the function returns

å"r–êKOI

which produces some characters that are not printable to the screen. This may cause a problem.

A more preferred method is to use SHA-256

asp passwords encryption