> Further more, a hash value cannot be decrypted, then the > passwords in the database are 100% protected.
It's true that a hash can't be "decrypted" in the traditional sense, but attackers have been building lists of pre-hashed common words to compare hashes against for years (go search for "rainbow tables" for more information). Simple hashing isn't really enough anymore. Add salt to that hash, either as an application-wide value, or preferably a different salt for each user account. Essentially this is just adding some known value to the password before hashing so that an attacker can't rely on a rainbow table to look up the original password based on the generated hash value (e.g. different salt = different hash value). -Justin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:348275 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm