Encrypting Passwords

Posted At : 28 September 2008 15:37 | Posted By : Jonny Shaw
Related Categories: Coldfusion Functions , Coldfusion Tutorials

In this tutorial i will show you how you can easily encrypt and decrypt passwords using coldfusion

The first think we need to do is create in encryption password, this is what will be used to encrypt and unencrypt your password. If you loose this then you will not be able to unencrypt any of your encrypted data.

To create this key i will use an application variable so it can be called when needed

Ok, now i will show you how to encrypt your data, this is best done when saving the data to a database. I have a form to add new users so i post this form and just before we insert the data to the database we will encrypt the password with the encryption key

I have assumed that you all know how to make a basic form if you are at the level of encrypting passwords so i shall skip that part.

<cfset Encrypted = Encrypt(Form.Npassword, Request.PasswordKey)>
<cfquery datasource="encryption">
INSERT INTO users (username, password)
VALUES (<cfqueryparam value="#FORM.Nusername#" cfsqltype="cf_sql_clob" maxlength="255">, "#Encrypted#")
</cfquery>
<cflocation url="/Admin/users.cfm" addtoken="yes">

Ok so now we should have a database with a username and encrypted password, but for the users to be able to login we will need to decrypt this password.

This is basicly the same process as before, but we unencrypt the value and use the #Encrypted# variable insted of the #FORM.Password#

<cfset Encrypted = encrypt(Form.password, Request.PasswordKey)>
<cfquery name="Login" datasource="encryption">
SELECT *
FROM users
WHERE username = '#FORM.username#'
AND password = '#Encrypted#'
</cfquery>

Hope this code is of help to people

Comments ( 14 ) |

Send |

del.icio.us |

Digg It! |

Linking Blogs | 3331 Views

Related Blog Entries

Hashing Passwords (09 October 2008)
Coldfusion Login Script (30 August 2008)
CAPTCHA Script (31 July 2008)
Coldfusion 8 Functions (24 May 2008)
Querying a Database Using Coldfusion (24 May 2008)

Comments

[Add Comment]

Good Stuff. Just remember to use queryparam on the last query. That last query is subject to a sql injection attack.

# Posted By Dan Vega | 28/09/08 17:16

Good tip, and I recommend this method for anyone storing passwords!

Of course if you are using MS SQL 2005 or 2008 Server you can use the Hash function for one way encryption and then there's no need to store the key in your code on the web server.

# Posted By TJ Downes | 28/09/08 17:17

yeh, sorry forgot to use the queryparam on the last query. But as i said with regards to creating a basic form. I have assumed you have a certain level of knowledge to want to encrypt your passwords.

# Posted By Jonny Shaw | 28/09/08 17:22

I'm just wondering why you'd want to encrypt the password rather than hash it, which I thought was always best practice?

# Posted By duncan | 28/09/08 18:51

Well i supose you could do it either way, it doesnt matter.
just means if anyone does manage to hack your database it makes it harder for them to get data.

# Posted By Jonny Shaw | 28/09/08 20:12

I can't think of a single good reason why anyone would want to store users' passwords in their database. Storing a hash is much more secure and offers reassurance to users. People tend to reuse the same password so an evil webmaster could access users' passwords and try to log in to their gmail, hotmail, ebay, paypal, etc, accounts. Of course users should use a different password for each website for their own sake.

# Posted By Gary Fenton | 28/09/08 20:20

how about storing login information? that has a users password?

# Posted By Jonny Shaw | 28/09/08 20:23

I think the point that Gary is trying to make, and it is a good one, is why does the Application need a reversible encryption of the password stored in the database? What possible need do you have for storing the password in a reversible fashion?

It actually does matter whether you store a password encrypted vs hashed. For the primary reason that encryption IS reversible. A hash is not. All a hacker needs to get at every single password in your database is that one encryption key(of course after compromising the DB).

Even for login information, there is no reason to store the password encrypted, if you store it hashed, then when the user tries to log in again, you hash their input, and compare it to the hash in the database. If they match, then the entered the correct password. There is never a reason to decrypt the users password.

Also, you should be salting your users passwords before hashing to defeat weak password, brute force attacks and Birthday/Rainbow table attacks.

# Posted By Jason Dean | 28/09/08 21:12

Although the 2 way encryption you describe is better than none at all I've got to say for the sake of any newbies reading this that I'd always opt for hash encryption and comparison in a production environment.

I recently had to recode an application that a junior developer had written because there were security holes everywhere of which he was unaware. He'd used 2 way encryption because he thought it would be useful to email a user their password if they forgot it. What he didn't consider was the insecure nature of email itself. IMHO it's far better to use hash encryption and send a user a temporary password if and when necessary.

# Posted By James Marshall | 30/09/08 17:06

I agree with Jason, and in one system I developed each user gets a unique salt assigned to them upon registration, and their password is salted then hashed and stored in the database. I have never seen a real valid reason that a system admin needs to be able to see a users password rather than re-setting it to a temporary value.

# Posted By Justice | 09/10/08 15:30

From the comments made so far, I understand that Hashing a password is way better than Encrypting it. However, I have one question about Hashing though. Conside this scenario:
A user forgets his/her password. Or better/worse yet, they make so many invalid attempts to login that their account is permanently disabled. The only way out now is if the admin resets it. In that case, if I had to reset a user's password to a "default" password, and then let them know their password has now been reset to "default", how would that work?

In other words, how do I go about this process of resetting the password and letting them know what it is using Hashing? It is pretty straight forward using Encryption but I have no clue about Hashing.

# Posted By cheapterp | 12/02/09 17:53

At that stage, the admin person knows what the password is, e.g. "password", "letmein", "Friday1" or whatever. Nobody needs to know what the hash of that is. So the Admin person resets the password to the default, and informs the user of what it is.

You should also then set a flag, perhaps on a boolean column in the users table, indicating password has been reset. This then means that once the user logs in with the default password, that they have to reset their password to something of their own choosing.

All the above should be the case whether you've got hashing or not.

# Posted By duncan | 12/02/09 17:59

Dang! I confused Hashing with using the GenerateSecretKey function. I was thinking a new key will be generated each time making it impossible to login a user. Ignore the previous lines if I am not very clear about what confused me.

The question now I have is - Since AES Encryption is considered the best Encryption method there is, is the only reason for not using Encryption for storing passwords that the DB admin will be able to decrypt them and see what it is?

My apologies - I know I am coming across as an incredible numbhead/n00b

Thanks for your response(s).

# Posted By cheapterp | 12/02/09 18:10

Yes, I believe that's the reasoning behind not encrypting the passwords. In theory, anyone who could hack into your database might also be able to get the key and decrypt any passwords too

# Posted By duncan | 12/02/09 19:07

[Add Comment]

Encrypting Passwords

Archives By Subject

Recent Comments

Recent Entries