Moving from plain text password storage to encrypted password storage: CF11 SQL Server 2012

I have a lot of members in the database with plain text passwords.

Firstly what is the recommended strategy for encrypting the passwords of new members as they register / and old members as they  change passwords.

How to get around problem of having text and encrypted passwords.

Do a batch conversion?  Any functions / algos you can recommend

Thanks
Ian WhiteOwner and FounderAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

_agx_Commented:
(I'm about to head out.... )

For passwords, use hashing rather than encryption.  Hashing is one way and in theory can't be reversed.  For algorithm, Avoid md5 and sha1 use something like SHA-256 or above with a salt.

How to get around problem of having text and encrypted passwords.

If it were me, I'd do it all at once.  I'd create new scripts for login validation and "Forgot Password" functionality that use hashing.  Test them against a copy of the user table.  When it's fully tested, backup the main table (very important) and update all passwords in bulk.

Keep in mind both CF and SQL Server have hashing functions.  You need to decide which one you're doing to use.  In theory they're compatible, meaning you could mix them, but personally I'd use one or the other, not both.  Using CF functions for a bulk update, is a bit clunkier than using SQL Server's functions, because you need to update the records one at a time.  However, since it's a one time event, it's not that big a deal.  Not unless you're updating a really large number of records.   For CF, run a query to get all passwords:

              SELECT uniqueUserRecordID, PlainTextPassword FROM tablename

Then loop through the results and run an UPDATE on each record using the appropriate hashing function.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ian WhiteOwner and FounderAuthor Commented:
Thank you - I do that, at least get my friends in India to do that
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ColdFusion Language

From novice to tech pro — start learning today.