Yes but if they have access to your db then you've got generally a bigger problem than a dictionary attack
-----Original Message----- From: Brandon Stone [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 2, 2003 18:21 To: CF-Talk Subject: RE: encrypting password One note on security using hash, this still leaves the passwords in the database open to dictionary attacks. Its really only slightly better than storing the passwords unencrypted. That is to say, if the attacker somehow gains access to the database, they just need to use a dictionary file, and try a hash of those words one at a time until a match is found. A generally accepted strategy is to use a salt word as well to create the password. The salt is a string which you know and keep secure, which the attacker hopefully does not. Then they need 2 pieces of information to attack the database. The comparison is essentially the same: <cfset salt = "mysuperS3cRetStr$ng"> <cfif Hash(form.password&salt) is not checkperson.passwordHash> <cflocation url = "unauthenticated.cfm"> <cfelse> ... </cfif> when you insert the hashed password, just append the salt to the end. <cfset hashedPwForDBInsertion = Hash(form.password&salt)> One more note, using hash() makes lost password retrieval more difficult in that the hash() function is a one way hash. There is no way to unhash. So essentially, if someone loses their password, you need a mechanism for them to reset the password to a new password, rather than just pulling the old one from the db and sending it to them. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 11:51 AM To: CF-Talk Subject: RE: encrypting password I'd suggest using CFs hash() function. It's a one way encryption/obfuscation method. Doug ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
