1

Is there a way to use Hash (bcrypt) Passwords in ASP like in PHP... the following would be the code for PHP but what is the alternative for ASP .. is it the same and just change things around? does ASP support Hash(bcrypt) or is there other way to do ? please engliten me with this situation...

PHP would be 

$link = mysql_connect('localhost', 'wpscanner', 'aUvmxcxvTUPtW8Kw')
    or die('Not connected : ' . mysql_error());
mysql_select_db('wpscanner', $link)
    or die ('Not selected : ' . mysql_error());

$password = mysql_real_escape_string($_GET['password']);
$email = mysql_real_escape_string($_GET['email']);

//This string tells crypt to use blowfish for 5 rounds.
$Blowfish_Pre = '$2a$05$';
$Blowfish_End = '$';

PHP code you need to register a user

// Blowfish accepts these characters for salts.
$Allowed_Chars =
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
$Chars_Len = 63;

// 18 would be secure as well.
$Salt_Length = 21;

$mysql_date = date( 'Y-m-d' );
$salt = "";

for($i=0; $i<$Salt_Length; $i++)
{
    $salt .= $Allowed_Chars[mt_rand(0,$Chars_Len)];
}
$bcrypt_salt = $Blowfish_Pre . $salt . $Blowfish_End;

$hashed_password = crypt($password, $bcrypt_salt);

$sql = 'INSERT INTO users (reg_date, email, salt, password) ' .
  "VALUES ('$mysql_date', '$email', '$salt', '$hashed_password')";

mysql_query($sql) or die( mysql_error() );
NullPoiиteя
  • 56,591
  • 22
  • 125
  • 143
SnowmanOnFire
  • 63
  • 3
  • 12
  • yes.. its in [here](http://stackoverflow.com/questions/5643187/net-implementation-of-bcrypt-which-implements-hashalgorithm) – Mark May 15 '13 at 03:03
  • thanks but that's for asp.net in c#, i want it for asp classic in VB. any suggetions... – SnowmanOnFire May 15 '13 at 03:10
  • Sorry. You don't specify the language you are using. Its not all the time that ASP.NET uses VB – Mark May 15 '13 at 03:11

1 Answers1

0

If your goal is storing a hash of a password in a database, you could use SHA256. See my answer here SHA256 with classic ASP

But don't forget to use a salt!

Community
  • 1
  • 1
Sander_P
  • 1,787
  • 1
  • 13
  • 37
  • 4
    No, using a function like bcrypt is definitely better in a cryptographic sense than using SHA-256. – Maarten Bodewes May 20 '13 at 00:38
  • @owlstead If you know of a Classic ASP VB implementation of bcrypt, then please let us know. The OP asked for alternatives, and AFAIK SHA256 is the best you can do with Classic ASP VB. But I don't mind to be proven wrong :-) – Sander_P May 20 '13 at 08:24
  • And with 'the best you can do' I mean: 'off the shelf'. Because there are Javascript implementations of bcrypt, which can be turned into a JScript object, which can then be used from ASP VB. – Sander_P May 20 '13 at 08:30
  • It would be better if you would at least salt the password, just suggesting SHA-256 is relatively dangerous, it would be susceptible to rainbow table attacks and identical passwords will hash to the same value. Normally I would just create an implementation of `bcrypt` but I'm extremely limited in my time. – Maarten Bodewes May 20 '13 at 09:54
  • I assumed the code of the OP would be used which already uses salt. But your are right. I will update my answer – Sander_P May 21 '13 at 09:09
  • It's also really important to iterate the hash function often enough. 10000 is probably appropriate. – CodesInChaos May 25 '13 at 15:07
  • SHA512 in Classic ASP (using built-in .Net components, available on any windows server) http://amadiere.com/blog/2011/02/c-net-classic-asp-password-hashing/ – Digs Apr 25 '15 at 13:41