Re: Password Encryption
We just had a thread on this a few days ago, didn't we?Or was it one of those that forked and went in this direction?The subject was best practices w/passwords, or storing them or something like that. Anyway, hashing isn't the be-all and end-all.Its a real good start, but you can do better.Check this out: http://msdn.microsoft.com/msdnmag/issues/03/08/SecurityBriefs/ CF produces a one-way md5 hash with the hash() function. The AccessMonger system presently hashes passwords.Literally right now I'm working on a revision that will salt them as well.It should be available on the DevEx by this evening. There is more you can do, like run the pwd thru a filter to ensure there are numeric values in the word, then strip out the numeric values and run the surviving chars thru a dictionary filter. -- --- Matt Robertson,[EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Password Encryption
We know that unlike MS Access, SQL Server doesn't have a password type field so it is necessary to encrypt it manually. I wrote a tutorial for the excellent EasyCFM site and it can be found here: http://tutorial113.easycfm.com/ It works well - but don't lose the key because a locksmith will be unable to help you. Peter Tilbrook ColdFusion Applications Developer ColdGen Internet Solutions Manager, ACT and Region ColdFusion Users Group - http://www.actcfug.com 4/73 Tharwa Road Queanbeyan, NSW, 2620 AUSTRALIA Telephone: +61-2-6284-2727 Mobile: +61-0439-401-823 E-mail: [EMAIL PROTECTED] \¯\/¯/ |¯|)¯) /¯/\¯\ \¯\/¯/ /_/\_\ |_|)_) \_\/_/ /_/\_\ RULES [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Password encryption
You could hash() the password on the way in, stops in being stored in clear text. Jb. -Original Message- From: Shahzad.Butt [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 11:01 To: CF-Talk Subject: Password encryption Hi I am storing user name and password in Access DB and running a query to match the combination when user attempts to login. Authorised users can do everything with the DB. Whats the best way to make it secure? encrypting passwords stored in DB? or some other way.. Thanks Shaz [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Password encryption
http://www.houseoffusion.com/cf_lists/index.cfm/method=messagesthreadid =29317forumid=4 Just yesterday. -- -dc[ cf5, ora8.1.7, iis5 ] -Original Message- From: Shahzad.Butt [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 11:01 To: CF-Talk Subject: Password encryption Hi I am storing user name and password in Access DB and running a query to match the combination when user attempts to login. Authorised users can do everything with the DB. Whats the best way to make it secure? encrypting passwords stored in DB? or some other way.. Thanks Shaz [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Password encryption
Depends on your security requirements.I do a one-way hash when the password is created, and email Users temporary passwords when they forget theirs.No one can look-up a password, not even the DBA. -Original Message- From: Shahzad.Butt [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 5:01 AM To: CF-Talk Subject: Password encryption Hi I am storing user name and password in Access DB and running a query to match the combination when user attempts to login. Authorised users can do everything with the DB. Whats the best way to make it secure? encrypting passwords stored in DB? or some other way.. Thanks Shaz [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]