Home of the ColdFusion Community
|
Mailing Lists
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
Hashing in ColdFusion 9
Author: Brian Thornton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63915#351128
Docs are at:
http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7c2f.html
My client is moving from cf MX to cf 9 and I find this could be handled better..
I am used to a 512 character to be created.
In CF 9 <cfset passwordHash = Encrypt(password,"SHA-512") /> is
generating a 11 character sized text.
<cfset passwordHash = Hash(Encrypt(password,"SHA-512")) /> will get me
512 but is this duplicitous?
<cfset password = "myP@ssw0rd" />
<cfset salt = "foo">
<cfset passwordHash = Hash(Encrypt(password,"SHA-512")) />
Where is the salt
handled?
Author: Russ Michaels
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63915#351129
Encrypt(*string*, *key *[, *algorithm*, *encoding*, *IVorSalt*, *iterations*])
On Mon, May 14, 2012 at 1:58 PM, Brian Thornton
<Brian@cfdeveloper.com>wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Brian Thornton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63915#351130
That's in the doc... I got that... Can we assume the length? IVorSalt
isn't salting within a salt string.
----- Excess quoted text cut - see Original Post for more -----
Author: Russ Michaels
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63915#351131
is this what your trying to do perhaps?
http://stackoverflow.com/questions/10036931/hash-function-that-works-identically-on-coldfusion-mx7-and-php-5-x
On Mon, May 14, 2012 at 2:13 PM, Brian Thornton
<Brian@cfdeveloper.com>wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Pete Freitag
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63915#351135
The result of Hash using SHA-512 will always be 128 character hex string no
matter what the input it will always be that length.
You can simply append or prepend the salt to the value you are hashing, eg:
#Hash(password & salt, "SHA-512")#
You don't need to Encrypt your password if you are hashing it, and your
salt should be different for every user, something like a UUID or
GenerateSecretKey("AES") is what i use. You can store the salt in another
column in your user table. I typically generate a new salt every time the
user changes password.
--
Pete Freitag - Adobe Community Professional
http://foundeo.com/ - ColdFusion Consulting & Products
http://petefreitag.com/ - My Blog
http://hackmycf.com - Is your ColdFusion Server Secure?
On Mon, May 14, 2012 at 8:58 AM, Brian Thornton
<Brian@cfdeveloper.com>wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Brian Thornton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63915#351136
perfect... thanks!
----- Excess quoted text cut - see Original Post for more -----
Author: Cameron Childress
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:63915#351137
> You don't need to Encrypt your password if you are hashing it, and your
> salt should be different for every user, something like a UUID or
> GenerateSecretKey("AES") is what i use. You can store the salt in another
> column in your user table. I typically generate a new salt every time the
> user changes password.
>
Brian-
Also worth looking at while you're at it... bCrypt is my new favorite way
of hashing and stores the salt with the hash string for super easy storage.
http://blog.mxunit.org/2011/02/hashing-passwords-with-bcrypt-in.html
-Cameron
--
Cameron Childress
--
p: 678.637.5072
im: cameroncf
facebook <http://www.facebook.com/cameroncf>; |
twitter<http://twitter.com/cameronc>; |
google+ <https://profiles.google.com/u/0/117829379451708140985>;
|
May 20, 2013
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
