On Fri, Feb 7, 2014 at 2:37 PM, Richard White wrote: > 1) is this best practise as if the salt phrase is contained within > Javascript it will be easy for anyone to see what it is >
Why would it be a problem if somebody saw it? It still increases the complexity for a would-be attacker. Just make sure you hash again with a secret salt on the server. Even if the public salt was fully available in a rainbow table somewhere, you still haven't lost any security. And to increase the cost of generating rainbow tables against your salt make sure you use a salt that is the combination of something long and something unique, such as the username. (Just make sure you lowercase and trim the username before using it in the salt.) 2) if this is best practise then how can i obfuscate the salt phrase and > also is there a JS equivalent to coldfusions SHA-512 hash function? > There are several Javascript crypto libraries available with SHA-512 implementations, which you can find through a search engine. Jochem -- Jochem van Dieten http://jochem.vandieten.net/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357613 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
