Hashing Passwords

Posted At : 09 October 2008 14:18 | Posted By : Jonny Shaw
Related Categories: Coldfusion Functions , Coldfusion Tutorials

After being criticized for my last post about 2 way encryption of passwords i have decided to write a post about hashing your passwords. As was pointed out in my last post this is a more secure way of keeping your password data safe.

Hashing passwords in a database is very easy, the syntax of the hash function is

Hash(string[, algorithm[, encoding]] )
More information about the syntax can be found at Adobe Livedocs

To hash the data into the database, we will use an insert query and insert the hashed password.

<cfquery datasource="encryption">
INSERT INTO users (username, password)
VALUES (<cfqueryparam value="#FORM.Nusername#" cfsqltype="cf_sql_clob" maxlength="255">, <cfqueryparam value="#Hash(form.password)#"" cfsqltype="cf_sql_clob" maxlength="255">)
</cfquery>

This is essentially very simple to do. To check if the user has entered the correct password to login we simply use a script like this.

<cfquery name = "checkpassword" datasource = "Users">
SELECT Password
FROM Users
WHERE Username = <cfqueryparam value = "#Username#"
cfsqltype = "CF_SQL_CHARVAR">
</cfquery>

<cfif Hash(form.password) is not checkpassword.password>
<cflocation url = "loginfailed.cfm">
<cfelse>
...
</cfif>

The main difference between this and my last post about 2 way encryption of passwords, is that the password is never unencrypted so there is less chance of anyone finding it out.

Comments ( 3 ) | Send | del.icio.us | Digg It! | Linking Blogs | 2883 Views

Related Blog Entries

Comments
[Add Comment]
John Whish's Gravatar Hash always returns a fixed length string (the length depends on the algorithm used). in your example, it will be 32 character hexadecimal so you'd probably want to use an nchar datatype (or equivalent) in your database.
Also I'd probably check the Hashed password in your SQL WHERE clause in case you have more than one user with the same username (it does happen!)
# Posted By John Whish | 09/10/08 16:05
Richard Lord's Gravatar You really need to salt the passwords before hashing them, otherwise you're exposed to a rainbow-table attack. I wrote about this some time ago in relation to PHP and the same principles apply to Coldfusion - that post is at http://www.bigroom.co.uk/blog/php-password-securit....
# Posted By Richard Lord | 25/05/09 12:57
coach handbags's Gravatar http://www.nikeairmaxtrainers.co.uk/
http://www.nikeairmaxtrainers.co.uk/nike-air-max-shoes-nike-air-max-90-c-39_52.html" target="_blank">http://www.nikeairmaxtrainers.co.uk/nike-air-max-s...
http://www.nikeairmaxtrainers.co.uk/nike-air-max-shoes-nike-air-max-95-c-39_61.html" target="_blank">http://www.nikeairmaxtrainers.co.uk/nike-air-max-s...
http://www.nikeairmaxtrainers.co.uk/nike-air-max-shoes-c-39.html
http://www.nikeairmaxtrainers.co.uk/nike-air-max-shoes-nike-air-max-97-c-39_80.html" target="_blank">http://www.nikeairmaxtrainers.co.uk/nike-air-max-s...
http://www.nikeairmaxtrainers.co.uk/nike-air-max-shoes-nike-air-max-95-c-39_61.html" target="_blank">http://www.nikeairmaxtrainers.co.uk/nike-air-max-s...
http://www.nikeairmaxtrainers.co.uk/nike-air-max-shoes-nike-air-max-ltd-c-39_42.html" target="_blank">http://www.nikeairmaxtrainers.co.uk/nike-air-max-s...
http://www.nikeairmaxtrainers.co.uk/nike-air-max-shoes-nike-air-max-ltd-ii-c-39_84.html" target="_blank">http://www.nikeairmaxtrainers.co.uk/nike-air-max-s...
http://www.nikeairmaxtrainers.co.uk/nike-air-max-shoes-nike-air-max-bw-c-39_65.html
http://www.nikeairmaxtrainers.co.uk/nike-shox-shoes-nike-shox-nz-c-1_16.html" target="_blank">http://www.nikeairmaxtrainers.co.uk/nike-shox-shoe...
http://www.nikeairmaxtrainers.co.uk/nike-shox-shoes-nike-shox-r4-c-1_2.html" target="_blank">http://www.nikeairmaxtrainers.co.uk/nike-shox-shoe...
http://www.nikeairmaxtrainers.co.uk/nike-air-max-shoes-nike-air-presto-c-39_77.html" target="_blank">http://www.nikeairmaxtrainers.co.uk/nike-air-max-s...
http://www.myairmax.com/
http://www.myairmax.com/nike-airmax-shoes-nike-airmax-180-c-1_244.html
http://www.myairmax.com/nike-airmax-shoes-nike-airmax-360-c-1_307.html
http://www.myairmax.com/nike-airmax-shoes-nike-airmax-87-c-1_255.html
http://www.myairmax.com/nike-airmax-shoes-nike-airmax-90-c-1_3.html" target="_blank">http://www.myairmax.com/nike-airmax-shoes-nike-air...
http://www.myairmax.com/nike-airmax-shoes-nike-airmax-95-c-1_2.html" target="_blank">http://www.myairmax.com/nike-airmax-shoes-nike-air...
http://www.myairmax.com/nike-airmax-shoes-nike-airmax-97-c-1_306.html
http://www.myairmax.com/nike-airmax-shoes-nike-air-max-ltd-c-1_117.html" target="_blank">http://www.myairmax.com/nike-airmax-shoes-nike-air...
# Posted By coach handbags | 02/09/10 06:38
[Add Comment]

Archives By Subject

Advertising (4) [RSS]
Blog Design (1) [RSS]
CFProject Scripts (2) [RSS]
Coldfusion Charts (3) [RSS]
Coldfusion Functions (5) [RSS]
Coldfusion Overview (1) [RSS]
Coldfusion Tutorials (16) [RSS]
For Sale (2) [RSS]
Image Manipulation (1) [RSS]
Java (1) [RSS]
JavaScript (4) [RSS]
PHP (1) [RSS]
Railo (4) [RSS]
SQL (1) [RSS]
Useful Tools (3) [RSS]

Recent Comments

Coldfusion and Java
nike air max shoes said: Free shipping buy coach handbags in coach outlet online,save up 76%,[url=http://www.coachhandbags-...... [More]

Coldfusion and Java
coach handbags said: These four pairs are all from Sergio Rossi. And their color is all can match well with your wedding ... [More]

Select Last Number In Access
coach handbags said: These four pairs are all from Sergio Rossi. And their color is all can match well with your wedding ... [More]

Select Last Number In Access
nike air max shoes said: Free shipping buy coach handbags in coach outlet online,save up 76%,[url=http://www.coachhandbags-...... [More]

Unlimited Website Hosting
nike air max shoes said: Free shipping buy coach handbags in coach outlet online,save up 76%,[url=http://www.coachhandbags-...... [More]

Recent Entries

No recent entries.
ColdFusion Blog | ColdFusion Hosting | ColdFusion Q & A