Html password protection,hide source,encrypt html code - the basics [Home]

Image Protection - how to use Image Guardian

FAQ - protect html , scripts, PHP, ASP

FAQ - protect images

General settings

Profiles and advanced settings

Encrypt ASP files

Ultra - Strong HTML password protection

File List Manager and Command line reference

Site Manager

Known issues & Troubleshooting

Password encryption.HTML password protect web page


How secure is password encryption for html web pages?
Ultra strong html password encryption uses our javascript implementation of the Blowfish algorithm. It is known to be extremely secure, has no known weaknesses, and is immune to all known forms of cryptanalysis. It is being examined since 1993 (the year it was created) and no method to crack this protection has been found so far.
The original Blowfish algorithm accepts variable-length keys, from 32 bits to 448 bits. HTML Guardian's password encryption implementation accepts 48 to 384 bit keys. Using keys longer than 384 bits is impractical, actually using keys longer than 256 bit ensures that nobody, even governmental agencies, will be able to see the protected content.
The only way to crack this protection is by performing the so called brute-force or dictionary attacks.
Brute-force attack simply means trying all the possible keys until finding the right one. Hence the more possible keys there are, the longer it takes to try them all (statistically the key is likely to be found after trying about the half of all possible keys). Increasing the password length exponentially increases the number of possible passwords - and the time needed to test all of them. So longer password = better protection !

Let's see some examples:
The number of all possible passwords for a given password length can be calculated with the simple formula
n = NL    where:
n is the number of all the possible passwords
N is the number of the characters which can be used in the password
L is the password length

In our case N can vary, but let's say we will use only a-z, A-Z, 0-9 and a reduced set of 26 special characters mentioned in the previous section. So N will be 26+26+10+26 = 88. For a password length of six characters, all possible passwords to try will be 886 = 464 404 086 784, or more than 464 billion. If we have a computer that can test 1 000 000 (one million) passwords per second, it will need 464 404 seconds, or about 130 hours to test all possible passwords. As we said it is likely to find the password after trying half of the possibilities, or after approx. 65 hours.
Of course the above assumes we can test 1 000 000 passwords per second, which can't be achieved in practice. As an additional security measure, the protected file will not display alerts or whatever if the password was incorrect - it will decode the protected content in all cases, just if the password was incorrect the result will be a bunch of garbage characters. So the cracking computer must spend some extra time to evaluate the result after each password tested.

Now let's see what happens if we increase the password length:

html password encryption strength

Password length
[characters]
Number of possible passwords Time needed to test all passwords
at rate 1 000 000
passwords per second
Time needed to test all passwords
at rate 1 000 000 000 000
passwords per second
7 40867559636992 1.3 years 41 seconds
8 3.59 x 1015 114 years 1 hour
10 2.78 x 1019 883120 years 332 days
15 1.47 x 1029 4.66 x 1015 years 4 660 510 334 years
25 4.09 x 1048 1.29 x 1035 years 1.29 x 1029 years
48 2.16 x 1093 6.86 x 1079 years 6.86 x 1073 years


The cracking rate of 1 000 000 000 000 tested passwords per second in the last column definitely belongs to the science fiction, but it can be achieved in the next 10-15 years by using hundreds of supercomputers for distributed password cracking.
The above table clearly shows how increasing the password length increases the security, it's up to you to decide what passwords to use.
Looking at the above values you may think a 15-20 characters password can never be cracked - but this is true only in some cases - only if you use a strong html password!!!.
So only to use password on web page/ web site is not enough - it should be strong enough to ensure total security.
Most people use simple passwords like their pets names, date of birth etc. A password like "Santa Claus is back in town" may look extremely secure (that's 27 characters!!!) but in fact it may be cracked in a few days by using a dictionary attack. This is testing the password against a list of words, for example the entire English(or some other language) dictionary. There are very sophisticated dictionary attack algorithms which can test not only the words in the list but also many combinations derived from them. Like if the word "dog" is in the list, the cracking program will also try god(word reversed) dogdog, ddoogg, ggoodd, gdo, d o g, d_o_g etc. Most programs will also try combinations between words in the list, replacement of letters with numbers that look or sound alike( like d0g), character sequences in the order keys appear on the keyboard(like qwertyuiop or qazwsxedc) etc.

Password cracking attempts usually start with a dictionary attack because it's much faster than anything else and the chances to discover a weak password are good. Then a cryptanalysis is performed. If the encryption algorithm used has weaknesses, it can be relatively easily cracked by using sophisticated cryptanalysis techniques. The Ultra - Strong protection will resist all known cryptanalysis techniques. If the dictionary attack and cryptanalysis fail, the only alternative is the brute force attack which has no chances against the Ultra - Strong protection.

In conclusion:
Ultra - Strong password encryption can only be cracked by a dictionary attack. So it's up to you to use a strong password which can't be discovered by a dictionary attack - the password should not be derived from a word or a phrase. It should contain randomly mixed upper and lower case letters, numbers and special characters. A password like "Q#H3s d$mf" is much better than "Santa Claus is back in town", no matter the latter is longer .


Editing the template
As noted above, the ultra strong protection is not intended to protect the source code but to protect a highly sensitive information stored in html format in an extremely secure way. However most of the source code protection options can be used for ultra strong protected files.
HTML Guardian uses a template file named se_template.htm (it's in program's installation folder) for ultra strong password encryption. By modifying this file, you can:
- use some of the source code protection options for ultra strong protected files
- customize the layout of the page people will see before entering the password
The template has the following structure:

<script>
.. information about source code protection options to be used
</script>
<body>

.. here you can put your custom code which will be displayed before entering the password
</body>

To modify the source code protection options:
In the <script> ... </script> section of the template, there are six lines that look like
           use_disableRightClick=0;
           ......................................
Each line defines whether certain protection option should be used. By default all are disabled. To enable some option change 0 to 1. For example if the first of those lines looks like
           use_disableRightClick=0;
the right click will not be disabled. If you change it like
           use_disableRightClick=1;
it will be disabled.
Lines that start with // are comments - do not touch them
Protection options not listed in the template can't be used.
In the <script> ... </script> section of the template, you can only change some value from 0 to 1 and vice-versa to define whether certain option should be used. Do not modify anything else.

To modify the way protected file looks before entering the password:
You can customize the page people will see before entering the password by modifying the
<body> .... </body> section of the template.
This will only have effect if the user is prompted for password with a password box in the protected file. If you have configured HTML Guardian to use a javascript prompt for entering the password, any changes you make in the <body> ...... </body> section of the template will have no effect.
You can add your own code in the body tag, for example to instruct users how to obtain a password, what to do in case of a forgotten password etc. You can also modify the page background colour, insert a background image etc.
Do not put any custom code outside the <body> ...... </body> section of the template.
Please backup the template before making whatever changes.

Can I manage multiple users and passwords with the Ultra Strong Password Encryption utility?
I want to have an individual password for each user.


No, this is not possible. Any program that claims it can protect a file so that it can be decrypted by providing different usernames & passwords is a home-made "protection" which can be cracked in minutes and should be avoided.
There is no serious password encryption algorithm known that can encrypt a file so that it can be decrypted by using more than one password.
If you come across a program that claims it can protect your data by using an individual user login & password combination for each user, DELETE IT ***IMMEDIATELY*** FROM YOUR HARDDISK AND ***NEVER*** EVER USE IT !!!. If you want to password encryption with an individual password for each user, the only option is to use some server - side technology.



Go back Next

   © 1997-2005, ProtWare Inc. All rights reserved.