Hashing Passwords

Posted At : 09 October 2008 14:18 | Posted By : Jonny Shaw
Related Categories: Coldfusion Functions , Coldfusion Tutorials

After being criticized for my last post about 2 way encryption of passwords i have decided to write a post about hashing your passwords. As was pointed out in my last post this is a more secure way of keeping your password data safe.

Hashing passwords in a database is very easy, the syntax of the hash function is

Hash(string[, algorithm[, encoding]] )
More information about the syntax can be found at Adobe Livedocs

To hash the data into the database, we will use an insert query and insert the hashed password.

<cfquery datasource="encryption">
INSERT INTO users (username, password)
VALUES (<cfqueryparam value="#FORM.Nusername#" cfsqltype="cf_sql_clob" maxlength="255">, <cfqueryparam value="#Hash(form.password)#"" cfsqltype="cf_sql_clob" maxlength="255">)
</cfquery>

This is essentially very simple to do. To check if the user has entered the correct password to login we simply use a script like this.

<cfquery name = "checkpassword" datasource = "Users">
SELECT Password
FROM Users
WHERE Username = <cfqueryparam value = "#Username#"
cfsqltype = "CF_SQL_CHARVAR">
</cfquery>

<cfif Hash(form.password) is not checkpassword.password>
<cflocation url = "loginfailed.cfm">
<cfelse>
...
</cfif>

The main difference between this and my last post about 2 way encryption of passwords, is that the password is never unencrypted so there is less chance of anyone finding it out.

Comments ( 2 ) | Send | del.icio.us | Digg It! | Linking Blogs | 2637 Views

Related Blog Entries

Comments
[Add Comment]
John Whish's Gravatar Hash always returns a fixed length string (the length depends on the algorithm used). in your example, it will be 32 character hexadecimal so you'd probably want to use an nchar datatype (or equivalent) in your database.
Also I'd probably check the Hashed password in your SQL WHERE clause in case you have more than one user with the same username (it does happen!)
# Posted By John Whish | 09/10/08 16:05
Richard Lord's Gravatar You really need to salt the passwords before hashing them, otherwise you're exposed to a rainbow-table attack. I wrote about this some time ago in relation to PHP and the same principles apply to Coldfusion - that post is at http://www.bigroom.co.uk/blog/php-password-securit....
# Posted By Richard Lord | 25/05/09 12:57
[Add Comment]

Archives By Subject

Advertising (4) [RSS]
Blog Design (1) [RSS]
CFProject Scripts (2) [RSS]
Coldfusion Charts (3) [RSS]
Coldfusion Functions (5) [RSS]
Coldfusion Overview (1) [RSS]
Coldfusion Tutorials (16) [RSS]
For Sale (2) [RSS]
Image Manipulation (1) [RSS]
Java (1) [RSS]
JavaScript (4) [RSS]
PHP (1) [RSS]
Railo (4) [RSS]
SQL (1) [RSS]
Useful Tools (3) [RSS]

Recent Comments

Coldfusion 8 Functions
Mark said: Can Cold Fusion do math functions similar to say Excel? I need to make several calculations, and if ... [More]

BlogCFC on Railo
iphone clone said: Thanks for sharing [More]

Coldfusion Protx VSP Form Integration Kit
confinedspace said: @Dom: Cheers for that - helped me out. Just one thing to note, I would add "all" as a thir... [More]

Coldfusion to PHP?
Jonny Shaw said: PHP is very similar to most other OOP languages, which i am quite familiar with, so it wasn't really... [More]

Coldfusion to PHP?
Rob said: @duncan - thank you for that link. I am having to start learning PHP and having a guide locally will... [More]

Recent Entries

No recent entries.
ColdFusion Blog | ColdFusion Hosting | ColdFusion Q & A