Ditto. My question though, is since you must store your salt string in the code (or the db somewhere), access to the db pretty much assumes they have access to the code as well. How is the salt string secure?
> Yes but if they have access to your db then you've got generally a bigger > problem than a dictionary attack > > > > -----Original Message----- > From: Brandon Stone [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 2, 2003 18:21 > To: CF-Talk > Subject: RE: encrypting password > > > One note on security using hash, this still leaves the passwords in the > database open to dictionary attacks. Its really only slightly better than > storing the passwords unencrypted. That is to say, if the attacker somehow > gains access to the database, they just need to use a dictionary file, and > try a hash of those words one at a time until a match is found. > > A generally accepted strategy is to use a salt word as well to create the > password. The salt is a string which you know and keep secure, which the > attacker hopefully does not. Then they need 2 pieces of information to > attack the database. The comparison is essentially the same: > > <cfset salt = "mysuperS3cRetStr$ng"> > <cfif Hash(form.password&salt) is not checkperson.passwordHash> > <cflocation url = "unauthenticated.cfm"> > <cfelse> > ... > </cfif> > > when you insert the hashed password, just append the salt to the end. <cfset > hashedPwForDBInsertion = Hash(form.password&salt)> > > One more note, using hash() makes lost password retrieval more difficult in > that the hash() function is a one way hash. There is no way to unhash. So > essentially, if someone loses their password, you need a mechanism for them > to reset the password to a new password, rather than just pulling the old > one from the db and sending it to them. > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 02, 2003 11:51 AM > To: CF-Talk > Subject: RE: encrypting password > > > I'd suggest using CFs hash() function. It's a one way encryption/obfuscation > method. > > Doug > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
