On 10/14/05, Ian Vaughan <[EMAIL PROTECTED]> wrote:
> Do you know for any good examples of a strong password generator ?
Here is a basic one. You can take this and turn it into a custom tag
pretty easy. It removes easily-confused letters from the string which
makes it more usable but less secure. Also I am paranoid about
scoping variables and would scope these to the 'variables' scope, but
I removed them so the code would fit better in the message :-)
<cfscript>
myPwd="";
myPwdLen="8";
do {
RandCharRange=RandRange(0,2);
switch (RandCharRange)
{
case "0":{myPwd=myPwd & chr(RandRange(48,57));break;}
case "1":{myPwd=myPwd & chr(RandRange(65,90));break;}
case "2":{myPwd=myPwd & chr(RandRange(97,122));}
}
myPwd=ReReplace(myPwd,"(0|o|O|1|i|I|l|5|S)","","all");
} while Compare(Len(myPwd),myPwdLen);
</cfscript>
>Say for example you were going to encrypt the users password that is
>stored in the database, what would you recommend to do this the Hash
>function?
You appear to be investigating hashes, but not salted hashes, which is
what I would stick to exclusively. Here is a decent article on the
subject:
http://msdn.microsoft.com/msdnmag/issues/03/08/SecurityBriefs/
I find a UUID makes a good salt value. Store the UUID with the user
record, pull it (via the username they also typed in) and combine the
supplied password with the salt value and hash *that* and compare it
to the value in the db (which you also salted and hashed when you
stored it initially).
As has been pointed out hashes of any kind are one way. If a user
forgets their password Never, ever ever send a user a password
replacement via email. Instead have the user replace the password
themselves by sending them an encoded link that expires after a
certain period (I use 24 hrs). When you send out the link, store a
value in the db (a hashed UUID, for example). Then put that value in
the link you send back to the customer. When the link comes back
(i.e. they click on the email) Use the hashed value to find the user
record the password change is associated with. If anyone intercepts
the email they will only have a sting of crud that doesn't give overt
clues as to its nature and which will become useless shortly. Not
perfect, but better than linking in with UserID=123
Next you must try to authenticate whether this really is the person
who owns the account. To authenticate the person you have to hit them
with a hint/answer challenge. When they arrive for the reset, ask
them their secret question. Without the answer, no soap. This of
course means you have to give the person the opportunity to put in a
hint and an answer on their first login attempt. I like to let the
customer write their own question and answer, so they have the freedom
to put something in thats really private... Encrypt the question and
store the answer as a salted hash.
--
--mattRobertson--
Janitor, MSB Web Systems
mysecretbase.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project or with a
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221034
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
