|
Mailing Lists
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
Hashing in ColdFusion 9
Docs are at:Brian Thornton 05/14/12 08:58 A Encrypt(*string*, *key *[, *algorithm*, *encoding*, *IVorSalt*, *iterations*])Russ Michaels 05/14/12 09:10 A That's in the doc... I got that... Can we assume the length? IVorSaltBrian Thornton 05/14/12 09:13 A is this what your trying to do perhaps?Russ Michaels 05/14/12 09:22 A The result of Hash using SHA-512 will always be 128 character hex string noPete Freitag 05/14/12 12:38 P perfect... thanks!Brian Thornton 05/14/12 12:39 P > You don't need to Encrypt your password if you are hashing it, and yourCameron Childress 05/14/12 12:56 P Docs are at: http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7c2f.html My client is moving from cf MX to cf 9 and I find this could be handled better.. I am used to a 512 character to be created. In CF 9 <cfset passwordHash = Encrypt(password,"SHA-512") /> is generating a 11 character sized text. <cfset passwordHash = Hash(Encrypt(password,"SHA-512")) /> will get me 512 but is this duplicitous? <cfset password = "myP@ssw0rd" /> <cfset salt = "foo"> <cfset passwordHash = Hash(Encrypt(password,"SHA-512")) /> Where is the salt handled? Encrypt(*string*, *key *[, *algorithm*, *encoding*, *IVorSalt*, *iterations*]) On Mon, May 14, 2012 at 1:58 PM, Brian Thornton <Brian@cfdeveloper.com>wrote: ----- Excess quoted text cut - see Original Post for more ----- That's in the doc... I got that... Can we assume the length? IVorSalt isn't salting within a salt string. ----- Excess quoted text cut - see Original Post for more ----- is this what your trying to do perhaps? http://stackoverflow.com/questions/10036931/hash-function-that-works-identically-on-coldfusion-mx7-and-php-5-x On Mon, May 14, 2012 at 2:13 PM, Brian Thornton <Brian@cfdeveloper.com>wrote: ----- Excess quoted text cut - see Original Post for more ----- The result of Hash using SHA-512 will always be 128 character hex string no matter what the input it will always be that length. You can simply append or prepend the salt to the value you are hashing, eg: #Hash(password & salt, "SHA-512")# You don't need to Encrypt your password if you are hashing it, and your salt should be different for every user, something like a UUID or GenerateSecretKey("AES") is what i use. You can store the salt in another column in your user table. I typically generate a new salt every time the user changes password. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Mon, May 14, 2012 at 8:58 AM, Brian Thornton <Brian@cfdeveloper.com>wrote: ----- Excess quoted text cut - see Original Post for more ----- perfect... thanks! ----- Excess quoted text cut - see Original Post for more ----- > You don't need to Encrypt your password if you are hashing it, and your > salt should be different for every user, something like a UUID or > GenerateSecretKey("AES") is what i use. You can store the salt in another > column in your user table. I typically generate a new salt every time the > user changes password. > Brian- Also worth looking at while you're at it... bCrypt is my new favorite way of hashing and stores the salt with the hash string for super easy storage. http://blog.mxunit.org/2011/02/hashing-passwords-with-bcrypt-in.html -Cameron -- Cameron Childress -- p: 678.637.5072 im: cameroncf facebook <http://www.facebook.com/cameroncf>; | twitter<http://twitter.com/cameronc>; | google+ <https://profiles.google.com/u/0/117829379451708140985>;
|
May 20, 2013
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
