?
Solved

Passwords and Encryption?

Posted on 2003-03-24
18
Medium Priority
?
252 Views
Last Modified: 2013-12-24
When I go live with my product, should I have my passwords encrypted in my database?  If I protect the directory that my database is on, is that enough to avoid hackers?  I do not want the wrong people to get ahold of my passwords and then have access to my system.
0
Comment
Question by:swartout
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 2
  • +1
18 Comments
 
LVL 17

Expert Comment

by:anandkp
ID: 8196846
YES - u need to have ur pwd's encrypted. but that dosent mean they cannot be hacked - they offer some deal of protection - but definately arent full proof

there r various means of doing this .. u may create ur own DLL's to do this / use CFENcrypt functions to do this for u

its always a good practice to have them encrypted

see what other have to say on this

K'Rgds
Anand
0
 

Author Comment

by:swartout
ID: 8196970
How do I encrypt them?  Do I need to worry about the other data that I am storing in my database?  I do not have financial information, it is performance evaluation database.  I would not want unauthorized individuals to see others evaluations.
0
 
LVL 7

Expert Comment

by:a1programmer
ID: 8197498
there are 2 functions in coldfusion... (v4.5, maybe earlier too)

encrypt(string,key)
decrypt(string,key)

<cfset enc_password = encrypt("mypassword", "mykey")>

now enc_password is the encrypted password.

you can then do
<cfset regular_password = decrypt(enc_password, "mykey")>

and regular_password will be "mypassword"...

Hope this helps...

0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 

Expert Comment

by:demarco
ID: 8202062
The above is a suitable method for password encryption however  CF also proveides the Hash   ( hash(var) ) function to use MOD5 encryption for a higher level of secruity of course MOD5 is one way and you wouldnt not be able to Decrpyt the passwords but you can compair two encryption strings like thus


<cfquery name="getadmin">
Select * from tbl_users
where username = '#form.username#'
AND password = '#hash(form.password)#'
</cfquery>


using encrypt & decrypt isnit really suited to a commerice site as it can be overcome easer than the MOD5 encryption

But if you require password recovery it should suffice

0
 

Expert Comment

by:demarco
ID: 8202067
Re  "protect the directory that my database is on"

I assume your database folder is somehow under wwwroot >?
Id so this is worrying as all they would have to do is know your database name to download your DB

What format / location is your database ?
0
 
LVL 7

Expert Comment

by:a1programmer
ID: 8202908
very true.  I didn't realize a hash function existed.

Protecting the dir/machine is probably the best solution.  

Anyone with access to the drive/machine, could access the database; and replace the md5 hash with their own just as easily as the encrypt, but they won't be able to determine the password.


0
 

Author Comment

by:swartout
ID: 8202975
My database is in a directory off of the root, and it is an access database.
0
 

Author Comment

by:swartout
ID: 8203019
I included the (hash(var)) function in my SQL statement like you have above, and it doesn't recognize the login.  What else do I need to do to get the MOD5 to work?

Thanks
Cindy
0
 
LVL 7

Expert Comment

by:a1programmer
ID: 8203120
the password in the database will have to be encrypted first.

You initially encrypt the password upon insert into the db. Then when they login, you encrypt the password they enter, and then you can use it in a query.

Insert...

<cfquery name="insertAdmin">
     insert into admin (username,password) ('#username#','#hash(password)#')
</cfquery>

Then, when you query the db.

<cfquery name="getAdmin" datasource="...">
     select * from admin where username = '#username#' and password = '#hash(password)#'
</cfquery>

<cfif getAdmin.recordCount>
  access
<cfelse>
  no access
</cfif>
0
 
LVL 7

Expert Comment

by:a1programmer
ID: 8203130
I left out values

Insert...

<cfquery name="insertAdmin">
    insert into admin (username,password) values ('#username#','#hash(password)#')
</cfquery>
0
 

Author Comment

by:swartout
ID: 8203157
What if my passwords are already in my db?  Can I update them?
0
 
LVL 7

Expert Comment

by:a1programmer
ID: 8203209
yeah

<cfquery name="getPasswords" ...>
   Select id, password from Admin
</cfquery>

<cfoutput query="getPasswords" ...>
   <cfquery name="updatePasswords" ...>
      update Admin set password = '#hash(password)#' where id = #id#
   </cfquery>
</cfoutput>

I am kind of new to coldfusion... From what I understand, you can use a <cfloop> instead of the <cfoutput> because no output is needed here...  But that should work (you will have to change the sql to match your tables of course...)
0
 

Author Comment

by:swartout
ID: 8203409
I must be missing something, it is not working.  I updated my passwords in my database, so now in the database they are this string of numbers and letters.  I changed my results page SQL to password = #hash(form.password)#.  And when I try I get my message stating that my password is incorrect.
0
 
LVL 7

Expert Comment

by:a1programmer
ID: 8203442
hmmmmm...

would you care to paste some code in here?

you may want to print some "debug" output to see whats getting returned, encrypted , and compared.
0
 

Author Comment

by:swartout
ID: 8203693
This is my query that I use to verify what the user entered in the login form.


<CFQUERY NAME="CheckUser" DATASOURCE="database">
SELECT * FROM login WHERE login.Username = '#Form.Username#' and login.AccountNbr = #form.Accountnbr#
and login.password = '#hash(form.password)#'
</CFQUERY>
0
 
LVL 7

Accepted Solution

by:
a1programmer earned 200 total points
ID: 8203739
first, try reading the password.

<cfquery name="getUser" datasource="database">
   Select password from login where login.username = '#Form.Username#'
</cfquery>

<cfoutput>
   #getUser.password#<br>
   #hash(Form.password)#
</cfoutput>


see if they match
0
 

Author Comment

by:swartout
ID: 8204496
Thanks for all of your help on this issue.  
0
 
LVL 7

Expert Comment

by:a1programmer
ID: 8204543
Your welcome...  :)
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most ColdFusion developers get confused between the CFSet, Duplicate, and Structcopy methods of copying a Structure, especially which one to use when. This Article will explain the differences in the approaches with examples; therefore, after readin…
Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question