Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 253
  • Last Modified:

Passwords and Encryption?

When I go live with my product, should I have my passwords encrypted in my database?  If I protect the directory that my database is on, is that enough to avoid hackers?  I do not want the wrong people to get ahold of my passwords and then have access to my system.
0
swartout
Asked:
swartout
  • 8
  • 7
  • 2
  • +1
1 Solution
 
anandkpCommented:
YES - u need to have ur pwd's encrypted. but that dosent mean they cannot be hacked - they offer some deal of protection - but definately arent full proof

there r various means of doing this .. u may create ur own DLL's to do this / use CFENcrypt functions to do this for u

its always a good practice to have them encrypted

see what other have to say on this

K'Rgds
Anand
0
 
swartoutAuthor Commented:
How do I encrypt them?  Do I need to worry about the other data that I am storing in my database?  I do not have financial information, it is performance evaluation database.  I would not want unauthorized individuals to see others evaluations.
0
 
a1programmerCommented:
there are 2 functions in coldfusion... (v4.5, maybe earlier too)

encrypt(string,key)
decrypt(string,key)

<cfset enc_password = encrypt("mypassword", "mykey")>

now enc_password is the encrypted password.

you can then do
<cfset regular_password = decrypt(enc_password, "mykey")>

and regular_password will be "mypassword"...

Hope this helps...

0
[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

 
demarcoCommented:
The above is a suitable method for password encryption however  CF also proveides the Hash   ( hash(var) ) function to use MOD5 encryption for a higher level of secruity of course MOD5 is one way and you wouldnt not be able to Decrpyt the passwords but you can compair two encryption strings like thus


<cfquery name="getadmin">
Select * from tbl_users
where username = '#form.username#'
AND password = '#hash(form.password)#'
</cfquery>


using encrypt & decrypt isnit really suited to a commerice site as it can be overcome easer than the MOD5 encryption

But if you require password recovery it should suffice

0
 
demarcoCommented:
Re  "protect the directory that my database is on"

I assume your database folder is somehow under wwwroot >?
Id so this is worrying as all they would have to do is know your database name to download your DB

What format / location is your database ?
0
 
a1programmerCommented:
very true.  I didn't realize a hash function existed.

Protecting the dir/machine is probably the best solution.  

Anyone with access to the drive/machine, could access the database; and replace the md5 hash with their own just as easily as the encrypt, but they won't be able to determine the password.


0
 
swartoutAuthor Commented:
My database is in a directory off of the root, and it is an access database.
0
 
swartoutAuthor Commented:
I included the (hash(var)) function in my SQL statement like you have above, and it doesn't recognize the login.  What else do I need to do to get the MOD5 to work?

Thanks
Cindy
0
 
a1programmerCommented:
the password in the database will have to be encrypted first.

You initially encrypt the password upon insert into the db. Then when they login, you encrypt the password they enter, and then you can use it in a query.

Insert...

<cfquery name="insertAdmin">
     insert into admin (username,password) ('#username#','#hash(password)#')
</cfquery>

Then, when you query the db.

<cfquery name="getAdmin" datasource="...">
     select * from admin where username = '#username#' and password = '#hash(password)#'
</cfquery>

<cfif getAdmin.recordCount>
  access
<cfelse>
  no access
</cfif>
0
 
a1programmerCommented:
I left out values

Insert...

<cfquery name="insertAdmin">
    insert into admin (username,password) values ('#username#','#hash(password)#')
</cfquery>
0
 
swartoutAuthor Commented:
What if my passwords are already in my db?  Can I update them?
0
 
a1programmerCommented:
yeah

<cfquery name="getPasswords" ...>
   Select id, password from Admin
</cfquery>

<cfoutput query="getPasswords" ...>
   <cfquery name="updatePasswords" ...>
      update Admin set password = '#hash(password)#' where id = #id#
   </cfquery>
</cfoutput>

I am kind of new to coldfusion... From what I understand, you can use a <cfloop> instead of the <cfoutput> because no output is needed here...  But that should work (you will have to change the sql to match your tables of course...)
0
 
swartoutAuthor Commented:
I must be missing something, it is not working.  I updated my passwords in my database, so now in the database they are this string of numbers and letters.  I changed my results page SQL to password = #hash(form.password)#.  And when I try I get my message stating that my password is incorrect.
0
 
a1programmerCommented:
hmmmmm...

would you care to paste some code in here?

you may want to print some "debug" output to see whats getting returned, encrypted , and compared.
0
 
swartoutAuthor Commented:
This is my query that I use to verify what the user entered in the login form.


<CFQUERY NAME="CheckUser" DATASOURCE="database">
SELECT * FROM login WHERE login.Username = '#Form.Username#' and login.AccountNbr = #form.Accountnbr#
and login.password = '#hash(form.password)#'
</CFQUERY>
0
 
a1programmerCommented:
first, try reading the password.

<cfquery name="getUser" datasource="database">
   Select password from login where login.username = '#Form.Username#'
</cfquery>

<cfoutput>
   #getUser.password#<br>
   #hash(Form.password)#
</cfoutput>


see if they match
0
 
swartoutAuthor Commented:
Thanks for all of your help on this issue.  
0
 
a1programmerCommented:
Your welcome...  :)
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 8
  • 7
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now