Coldfusion Password Hashing and Salting

Posted on 2012-08-17
Last Modified: 2012-08-18
Hello experts.
I found a very nice  tutorial about Password Hashing and Salting here:

I also read about bcrypt :

I need your opinion to decide which method to use.

The second tutorial doesn't include any example with a query.
Select ...
Where username = ....
and password = ....

Is there any way to use it like this?
Question by:Panos
    LVL 51

    Accepted Solution

    The bcrypt option sounds better ie simpler process and more secure. Assuming you can use createObject in your environ.

    But reading the comments I think you have to SELECT the hashed password from the db, then compare it using CF

     ie   <cfquery name="getPassword" ...>
                 SELECT HashedPassword
                 FROM Table
                 WHERE userName = <cfqueryparam value="#FORM.userName#" ...>
           ... create bcrypt objects ...

           <!--- see if plaintext form.password matches stored password ...--->
           <cfset isMatch = bcrypt.hashpw(FORM.password, getPassword.hashedPassword)>
           <cfif isMatch>
                              password is good. do something...
    LVL 2

    Author Comment

    Hi agx.

    i understand.
    I made some test and the isMatch has values yes or no.
    Can i use <cfif isMatch> or <cfif isMatch EQ "yes"> (or EQ "NO")>
    LVL 51

    Expert Comment

    bcrypt.hashpw(...) returns a boolean. So either of those will work.  Personally I prefer <cfif isMatch> because it's cleaner :)
    LVL 2

    Author Comment

    Something else. Using "autologin" and "remember me" i have to store username and passords in cookies. Is the first ay safe?
    LVL 51

    Expert Comment

    You shouldn't store them in plain text. This example might be helpful, though obviously use strong encryption than in the demo:
    LVL 2

    Author Closing Comment

    Thank you for your help
    LVL 51

    Expert Comment

    > <cfset isMatch = bcrypt.hashpw(FORM.password, getPassword.hashedPassword)>
          > ...
          > bcrypt.hashpw(...) returns a boolean.

    Just noticed a copy/paste error. That should obviously be

                      "checkpw" returns a boolean".  

    The hashpw() method returns ... well a hash of course ;-)

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Suggested Solutions

    This article  is about submitting  form through  ColdFusion.Ajax.submitForm to the action page and send a response back in JSON format which later can be decoded using ColdFusion.JSON.decode. By this way you can avoid the usual page refresh for subm…
    PROBLEM: How to add your own buttons to the bottom toolbar with paging info ( result count ). While creating a cfgrid, I ran into an issue where I wanted to embed my own custom buttons where the default ones ( insert / delete / etc… ) are for aes…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now