Sor for example if I used the following when the user registers their
details
#Hash("form.Password", "SHA-512")# to store the hash of the password (
i.e. 'Test.) the user has entered in the form to be stored in the
database
Then when the user logs in and enters their password of 'Test' using the
login check below, it fails to recognize the password?
--snippet---
WHERE Password = '#Hash("form.Password", "SHA-512")#'
</CFQUERY>
Any ideas on where I am going wrong?
Also if I hashed the password in the database, and offered a feature if
the user forgets their password and wanted their password e-mailed to
their registered e-mail addresss, how would the hashed value in the db
be converted back to their original password of 'Test' ?
-----Original Message-----
From: Kerry [mailto:[EMAIL PROTECTED]
Sent: 14 October 2005 09:34
To: CF-Talk
Subject: RE: security suggestions?
"what would you recommend to do this the Hash function?"
The hash function is efficient, but I could dehash most passwords in a
couple of minutes, so I would go for some kind of salted hash / key
based encryption.
"how do you match up the password the user enters when logging in to the
encrypted version of the password stored in the database"
You encrypt what they entered in the form using the same algorithm, then
compare that encrypted string to the encrypted string in the database.
-----Original Message-----
From: Ian Vaughan [mailto:[EMAIL PROTECTED]
Sent: 14 October 2005 09:23
To: CF-Talk
Subject: RE: security suggestions?
Hi
Just to come back to a few of your security points for some more
information please.
---QUOTE---
You might want to encrypt the information on the database... but this is
a little overkill-ish. However if you can't secure the database as much
as you'd like it can be a good measure.
------
Encrypt everything going into the database.
-------
Say for example you were going to encrypt the users password that is
stored in the database, what would you recommend to do this the Hash
function? If so how do you match up the password the user enters when
logging in to the encrypted version of the password stored in the
database?
----QUOTE---
Use strong passwords for all users on both systems and any applications,
such as CF Admin. Use a strong password generator for this.
----
Do you know for any good examples of a strong password generator ?
---QUOTE---
convert it to a secure (encrypted) email and send it directly the loan
officer?
--------------------
What would you use to secure the encrypted e-mail PGP or certain code in
Coldfusion? If it is PGP are any alterations needed on the Coldfusion
site to convert it into encrypted format?
Finally is there a script that stops the user clicking on the back
button in their browser window which would stop them viewing any
sensitive data, or would you recommend just turning off the browsers
standard buttons i.e. back, next, refresh etc and/or a script that stops
users bookmarking certain pages in their browsers ?
Ian
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project or with a
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220999
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
