Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Coldfusion Password Hashing and Salting

Posted on 2012-08-17
7
Medium Priority
?
1,130 Views
Last Modified: 2012-08-18
Hello experts.
I found a very nice  tutorial about Password Hashing and Salting here:
http://www.oxalto.co.uk/2011/07/password-hashing-and-salting/

I also read about bcrypt :
http://blog.mxunit.org/2011/02/hashing-passwords-with-bcrypt-in.html

I need your opinion to decide which method to use.

The second tutorial doesn't include any example with a query.
Select ...
Where username = ....
and password = ....

Is there any way to use it like this?
0
Comment
Question by:Panos
  • 4
  • 3
7 Comments
 
LVL 53

Accepted Solution

by:
_agx_ earned 2000 total points
ID: 38306645
The bcrypt option sounds better ie simpler process and more secure. Assuming you can use createObject in your environ.

But reading the comments I think you have to SELECT the hashed password from the db, then compare it using CF


 ie   <cfquery name="getPassword" ...>
             SELECT HashedPassword
             FROM Table
             WHERE userName = <cfqueryparam value="#FORM.userName#" ...>
       </cfquery>
       ... create bcrypt objects ...

       <!--- see if plaintext form.password matches stored password ...--->
       <cfset isMatch = bcrypt.hashpw(FORM.password, getPassword.hashedPassword)>
       <cfif isMatch>
                          password is good. do something...
         </cfif>
0
 
LVL 2

Author Comment

by:Panos
ID: 38306658
Hi agx.

i understand.
I made some test and the isMatch has values yes or no.
Can i use <cfif isMatch> or <cfif isMatch EQ "yes"> (or EQ "NO")>
0
 
LVL 53

Expert Comment

by:_agx_
ID: 38306671
bcrypt.hashpw(...) returns a boolean. So either of those will work.  Personally I prefer <cfif isMatch> because it's cleaner :)
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 2

Author Comment

by:Panos
ID: 38306686
Ok.
Something else. Using "autologin" and "remember me" i have to store username and passords in cookies. Is the first ay safe?
0
 
LVL 53

Expert Comment

by:_agx_
ID: 38307093
You shouldn't store them in plain text. This example might be helpful, though obviously use strong encryption than in the demo:

http://www.bennadel.com/blog/1213-Creating-A-Remember-Me-Login-System-In-ColdFusion.htm
0
 
LVL 2

Author Closing Comment

by:Panos
ID: 38307298
Thank you for your help
Regards
Panos
0
 
LVL 53

Expert Comment

by:_agx_
ID: 38308579
> <cfset isMatch = bcrypt.hashpw(FORM.password, getPassword.hashedPassword)>
      > ...
      > bcrypt.hashpw(...) returns a boolean.

Just noticed a copy/paste error. That should obviously be

                  "checkpw" returns a boolean".  

The hashpw() method returns ... well a hash of course ;-)
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, I will be creating today a basic tutorial on how we can create a Mail Custom Function and use it where ever we want. The main advantage about creating a custom function is that we can accommodate a range of arguments to pass to the Function and …
Hi. There are several upload tutorials using jquery and coldfusion. I found a very interesting one here Upload Your Files using Jquery & ColdFusion and Preview them (http://www.randhawaworld.com/) . I did keep the main js functions but made sever…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 3 hours left to enroll

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question