swartout
asked on
Passwords and Encryption?
When I go live with my product, should I have my passwords encrypted in my database? If I protect the directory that my database is on, is that enough to avoid hackers? I do not want the wrong people to get ahold of my passwords and then have access to my system.
ASKER
How do I encrypt them? Do I need to worry about the other data that I am storing in my database? I do not have financial information, it is performance evaluation database. I would not want unauthorized individuals to see others evaluations.
there are 2 functions in coldfusion... (v4.5, maybe earlier too)
encrypt(string,key)
decrypt(string,key)
<cfset enc_password = encrypt("mypassword", "mykey")>
now enc_password is the encrypted password.
you can then do
<cfset regular_password = decrypt(enc_password, "mykey")>
and regular_password will be "mypassword"...
Hope this helps...
encrypt(string,key)
decrypt(string,key)
<cfset enc_password = encrypt("mypassword", "mykey")>
now enc_password is the encrypted password.
you can then do
<cfset regular_password = decrypt(enc_password, "mykey")>
and regular_password will be "mypassword"...
Hope this helps...
The above is a suitable method for password encryption however CF also proveides the Hash ( hash(var) ) function to use MOD5 encryption for a higher level of secruity of course MOD5 is one way and you wouldnt not be able to Decrpyt the passwords but you can compair two encryption strings like thus
<cfquery name="getadmin">
Select * from tbl_users
where username = '#form.username#'
AND password = '#hash(form.password)#'
</cfquery>
using encrypt & decrypt isnit really suited to a commerice site as it can be overcome easer than the MOD5 encryption
But if you require password recovery it should suffice
<cfquery name="getadmin">
Select * from tbl_users
where username = '#form.username#'
AND password = '#hash(form.password)#'
</cfquery>
using encrypt & decrypt isnit really suited to a commerice site as it can be overcome easer than the MOD5 encryption
But if you require password recovery it should suffice
Re "protect the directory that my database is on"
I assume your database folder is somehow under wwwroot >?
Id so this is worrying as all they would have to do is know your database name to download your DB
What format / location is your database ?
I assume your database folder is somehow under wwwroot >?
Id so this is worrying as all they would have to do is know your database name to download your DB
What format / location is your database ?
very true. I didn't realize a hash function existed.
Protecting the dir/machine is probably the best solution.
Anyone with access to the drive/machine, could access the database; and replace the md5 hash with their own just as easily as the encrypt, but they won't be able to determine the password.
Protecting the dir/machine is probably the best solution.
Anyone with access to the drive/machine, could access the database; and replace the md5 hash with their own just as easily as the encrypt, but they won't be able to determine the password.
ASKER
My database is in a directory off of the root, and it is an access database.
ASKER
I included the (hash(var)) function in my SQL statement like you have above, and it doesn't recognize the login. What else do I need to do to get the MOD5 to work?
Thanks
Cindy
Thanks
Cindy
the password in the database will have to be encrypted first.
You initially encrypt the password upon insert into the db. Then when they login, you encrypt the password they enter, and then you can use it in a query.
Insert...
<cfquery name="insertAdmin">
insert into admin (username,password) ('#username#','#hash(passw
</cfquery>
Then, when you query the db.
<cfquery name="getAdmin" datasource="...">
select * from admin where username = '#username#' and password = '#hash(password)#'
</cfquery>
<cfif getAdmin.recordCount>
access
<cfelse>
no access
</cfif>
You initially encrypt the password upon insert into the db. Then when they login, you encrypt the password they enter, and then you can use it in a query.
Insert...
<cfquery name="insertAdmin">
insert into admin (username,password) ('#username#','#hash(passw
</cfquery>
Then, when you query the db.
<cfquery name="getAdmin" datasource="...">
select * from admin where username = '#username#' and password = '#hash(password)#'
</cfquery>
<cfif getAdmin.recordCount>
access
<cfelse>
no access
</cfif>
I left out values
Insert...
<cfquery name="insertAdmin">
insert into admin (username,password) values ('#username#','#hash(passw
</cfquery>
Insert...
<cfquery name="insertAdmin">
insert into admin (username,password) values ('#username#','#hash(passw
</cfquery>
ASKER
What if my passwords are already in my db? Can I update them?
yeah
<cfquery name="getPasswords" ...>
Select id, password from Admin
</cfquery>
<cfoutput query="getPasswords" ...>
<cfquery name="updatePasswords" ...>
update Admin set password = '#hash(password)#' where id = #id#
</cfquery>
</cfoutput>
I am kind of new to coldfusion... From what I understand, you can use a <cfloop> instead of the <cfoutput> because no output is needed here... But that should work (you will have to change the sql to match your tables of course...)
<cfquery name="getPasswords" ...>
Select id, password from Admin
</cfquery>
<cfoutput query="getPasswords" ...>
<cfquery name="updatePasswords" ...>
update Admin set password = '#hash(password)#' where id = #id#
</cfquery>
</cfoutput>
I am kind of new to coldfusion... From what I understand, you can use a <cfloop> instead of the <cfoutput> because no output is needed here... But that should work (you will have to change the sql to match your tables of course...)
ASKER
I must be missing something, it is not working. I updated my passwords in my database, so now in the database they are this string of numbers and letters. I changed my results page SQL to password = #hash(form.password)#. And when I try I get my message stating that my password is incorrect.
hmmmmm...
would you care to paste some code in here?
you may want to print some "debug" output to see whats getting returned, encrypted , and compared.
would you care to paste some code in here?
you may want to print some "debug" output to see whats getting returned, encrypted , and compared.
ASKER
This is my query that I use to verify what the user entered in the login form.
<CFQUERY NAME="CheckUser" DATASOURCE="database">
SELECT * FROM login WHERE login.Username = '#Form.Username#' and login.AccountNbr = #form.Accountnbr#
and login.password = '#hash(form.password)#'
</CFQUERY>
<CFQUERY NAME="CheckUser" DATASOURCE="database">
SELECT * FROM login WHERE login.Username = '#Form.Username#' and login.AccountNbr = #form.Accountnbr#
and login.password = '#hash(form.password)#'
</CFQUERY>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all of your help on this issue.
Your welcome... :)
there r various means of doing this .. u may create ur own DLL's to do this / use CFENcrypt functions to do this for u
its always a good practice to have them encrypted
see what other have to say on this
K'Rgds
Anand