RE: PW encryption/decryption

Wed, 05 Nov 2003 11:04:30 -0800

Do you need to be able to read passwords again after encrypting them?  I've
yet to build an application where this was required.  If a user forgets
his/her password, just issue them a new one, rather than telling them what
the current one is.  If you can live with this requirement, use the hash()
function for encryption and checking, and save yourself a buttload of
trouble.

In the user add/edit scripts, you have normal everything, except in your
INSERT/UPDATE queries you do this:

    password = '#hash(form.password)#'

rather than

    password = '#form.password#'
or
    password = '#encrypt(form.password, application.passwordKey)#'

Then in your authentication query for logging in, put a WHERE clause like
this:

SELECT ...
FROM ...
WHERE username = '#form.username#'
    AND password = '#hash(form.password)#'

Other than those two places (and perhaps the template that resets lost
passwords), you needn't do anything different than just storing plain text
passwords.  The password column in the DB will need to be a 32-byte CHAR
column, because MD5 hashes are always 32 hex digits long.  I don't know
about your DB, but MySQL (what I use) provides an MD5() builtin function
that does the same as the native CF hash() function, so you might be able to
use that in the queries if you'd prefer.

Let me know if that makes sense, either on or off list.  It's on-topic
enough to leave it here, unless you want to discuss specific details that
aren't fit for public consumption.

cheers,
barneyb
  -----Original Message-----
  From: Tim Laureska [mailto:[EMAIL PROTECTED]
  Sent: Wednesday, November 05, 2003 9:25 AM
  To: CF-Talk
  Subject: PW encryption/decryption

  Well... I've spent at least 40 hrs on this and even help from Peter
  Tilbrook and Tony did not solve the dilemma... would anybody be
  available to look at some code I've set up for a user registration
  password encryption scenario
  (used http://tutorial113.easycfm.com as a basis)

  I just don't get it... it works sometimes and not others... I'd be
  willing to send files/database etc... even pay someone at this point ...
  I've thrown my hands up... I really don't want to put plain text
  passwords in the DB, but I'm a hair away from doing just that

  You can see it NOT work at
  http://www.talbotcounty.org/employ/seekers/seeker_registration2.cfm

  Tim

[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]

Reply via email to