asked on

Coldfusion Password Hashing and Salting

Hello experts.
I found a very nice tutorial about Password Hashing and Salting here:
http://www.oxalto.co.uk/2011/07/password-hashing-and-salting/

I also read about bcrypt :
http://blog.mxunit.org/2011/02/hashing-passwords-with-bcrypt-in.html

I need your opinion to decide which method to use.

The second tutorial doesn't include any example with a query.
Select ...
Where username = ....
and password = ....

Is there any way to use it like this?

ASKER CERTIFIED SOLUTION

_agx_

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Panos

ASKER

Hi agx.

i understand.
I made some test and the isMatch has values yes or no.
Can i use <cfif isMatch> or <cfif isMatch EQ "yes"> (or EQ "NO")>

_agx_

bcrypt.hashpw(...) returns a boolean. So either of those will work. Personally I prefer <cfif isMatch> because it's cleaner :)

Panos

ASKER

Ok.
Something else. Using "autologin" and "remember me" i have to store username and passords in cookies. Is the first ay safe?

_agx_

You shouldn't store them in plain text. This example might be helpful, though obviously use strong encryption than in the demo:

http://www.bennadel.com/blog/1213-Creating-A-Remember-Me-Login-System-In-ColdFusion.htm

Panos

ASKER

Thank you for your help
Regards
Panos

_agx_

> <cfset isMatch = bcrypt.hashpw(FORM.password, getPassword.hashedPassword)>
> ...
> bcrypt.hashpw(...) returns a boolean.

Just noticed a copy/paste error. That should obviously be

"checkpw" returns a boolean".

The hashpw() method returns ... well a hash of course ;-)