Sor for example if I used the following when the user registers their details
#Hash("form.Password", "SHA-512")# to store the hash of the password ( i.e. 'Test.) the user has entered in the form to be stored in the database Then when the user logs in and enters their password of 'Test' using the login check below, it fails to recognize the password? --snippet--- WHERE Password = '#Hash("form.Password", "SHA-512")#' </CFQUERY> Any ideas on where I am going wrong? Also if I hashed the password in the database, and offered a feature if the user forgets their password and wanted their password e-mailed to their registered e-mail addresss, how would the hashed value in the db be converted back to their original password of 'Test' ? -----Original Message----- From: Kerry [mailto:[EMAIL PROTECTED] Sent: 14 October 2005 09:34 To: CF-Talk Subject: RE: security suggestions? "what would you recommend to do this the Hash function?" The hash function is efficient, but I could dehash most passwords in a couple of minutes, so I would go for some kind of salted hash / key based encryption. "how do you match up the password the user enters when logging in to the encrypted version of the password stored in the database" You encrypt what they entered in the form using the same algorithm, then compare that encrypted string to the encrypted string in the database. -----Original Message----- From: Ian Vaughan [mailto:[EMAIL PROTECTED] Sent: 14 October 2005 09:23 To: CF-Talk Subject: RE: security suggestions? Hi Just to come back to a few of your security points for some more information please. ---QUOTE--- You might want to encrypt the information on the database... but this is a little overkill-ish. However if you can't secure the database as much as you'd like it can be a good measure. ------ Encrypt everything going into the database. ------- Say for example you were going to encrypt the users password that is stored in the database, what would you recommend to do this the Hash function? If so how do you match up the password the user enters when logging in to the encrypted version of the password stored in the database? ----QUOTE--- Use strong passwords for all users on both systems and any applications, such as CF Admin. Use a strong password generator for this. ---- Do you know for any good examples of a strong password generator ? ---QUOTE--- convert it to a secure (encrypted) email and send it directly the loan officer? -------------------- What would you use to secure the encrypted e-mail PGP or certain code in Coldfusion? If it is PGP are any alterations needed on the Coldfusion site to convert it into encrypted format? Finally is there a script that stops the user clicking on the back button in their browser window which would stop them viewing any sensitive data, or would you recommend just turning off the browsers standard buttons i.e. back, next, refresh etc and/or a script that stops users bookmarking certain pages in their browsers ? Ian ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220999 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54