Panos
asked on
Coldfusion Password Hashing and Salting
Hello experts.
I found a very nice tutorial about Password Hashing and Salting here:
http://www.oxalto.co.uk/2011/07/password-hashing-and-salting/
I also read about bcrypt :
http://blog.mxunit.org/2011/02/hashing-passwords-with-bcrypt-in.html
I need your opinion to decide which method to use.
The second tutorial doesn't include any example with a query.
Select ...
Where username = ....
and password = ....
Is there any way to use it like this?
I found a very nice tutorial about Password Hashing and Salting here:
http://www.oxalto.co.uk/2011/07/password-hashing-and-salting/
I also read about bcrypt :
http://blog.mxunit.org/2011/02/hashing-passwords-with-bcrypt-in.html
I need your opinion to decide which method to use.
The second tutorial doesn't include any example with a query.
Select ...
Where username = ....
and password = ....
Is there any way to use it like this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
bcrypt.hashpw(...) returns a boolean. So either of those will work. Personally I prefer <cfif isMatch> because it's cleaner :)
ASKER
Ok.
Something else. Using "autologin" and "remember me" i have to store username and passords in cookies. Is the first ay safe?
Something else. Using "autologin" and "remember me" i have to store username and passords in cookies. Is the first ay safe?
You shouldn't store them in plain text. This example might be helpful, though obviously use strong encryption than in the demo:
http://www.bennadel.com/blog/1213-Creating-A-Remember-Me-Login-System-In-ColdFusion.htm
http://www.bennadel.com/blog/1213-Creating-A-Remember-Me-Login-System-In-ColdFusion.htm
ASKER
Thank you for your help
Regards
Panos
Regards
Panos
> <cfset isMatch = bcrypt.hashpw(FORM.password, getPassword.hashedPassword )>
> ...
> bcrypt.hashpw(...) returns a boolean.
Just noticed a copy/paste error. That should obviously be
"checkpw" returns a boolean".
The hashpw() method returns ... well a hash of course ;-)
> ...
> bcrypt.hashpw(...) returns a boolean.
Just noticed a copy/paste error. That should obviously be
"checkpw" returns a boolean".
The hashpw() method returns ... well a hash of course ;-)
ASKER
i understand.
I made some test and the isMatch has values yes or no.
Can i use <cfif isMatch> or <cfif isMatch EQ "yes"> (or EQ "NO")>