Encrypting Passwords

Posted At : 28 September 2008 15:37 | Posted By : Jonny Shaw
Related Categories: Coldfusion Tutorials , Coldfusion Functions

In this tutorial i will show you how you can easily encrypt and decrypt passwords using coldfusion

The first think we need to do is create in encryption password, this is what will be used to encrypt and unencrypt your password. If you loose this then you will not be able to unencrypt any of your encrypted data.

To create this key i will use an application variable so it can be called when needed

Ok, now i will show you how to encrypt your data, this is best done when saving the data to a database. I have a form to add new users so i post this form and just before we insert the data to the database we will encrypt the password with the encryption key

I have assumed that you all know how to make a basic form if you are at the level of encrypting passwords so i shall skip that part.

<cfset Encrypted = Encrypt(Form.Npassword, Request.PasswordKey)>
<cfquery datasource="encryption">
INSERT INTO users (username, password)
VALUES (<cfqueryparam value="#FORM.Nusername#" cfsqltype="cf_sql_clob" maxlength="255">, "#Encrypted#")
</cfquery>
<cflocation url="/Admin/users.cfm" addtoken="yes">

Ok so now we should have a database with a username and encrypted password, but for the users to be able to login we will need to decrypt this password.

This is basicly the same process as before, but we unencrypt the value and use the #Encrypted# variable insted of the #FORM.Password#

<cfset Encrypted = encrypt(Form.password, Request.PasswordKey)>
<cfquery name="Login" datasource="encryption">
SELECT *
FROM users
WHERE username = '#FORM.username#'
AND password = '#Encrypted#'
</cfquery>

Hope this code is of help to people

Comments ( 10 ) |

Print |

Send |

del.icio.us |

Digg It! |

Linking Blogs | 806 Views

Related Blog Entries

Hashing Passwords (09 October 2008)
Coldfusion Login Script (30 August 2008)
CAPTCHA Script (31 July 2008)
Coldfusion 8 Functions (24 May 2008)
Querying a Database Using Coldfusion (24 May 2008)

Comments

[Add Comment]

Good Stuff. Just remember to use queryparam on the last query. That last query is subject to a sql injection attack.

# Posted By Dan Vega | 28/09/08 17:16

Good tip, and I recommend this method for anyone storing passwords!

Of course if you are using MS SQL 2005 or 2008 Server you can use the Hash function for one way encryption and then there's no need to store the key in your code on the web server.

# Posted By TJ Downes | 28/09/08 17:17

yeh, sorry forgot to use the queryparam on the last query. But as i said with regards to creating a basic form. I have assumed you have a certain level of knowledge to want to encrypt your passwords.

# Posted By Jonny Shaw | 28/09/08 17:22

I'm just wondering why you'd want to encrypt the password rather than hash it, which I thought was always best practice?

# Posted By duncan | 28/09/08 18:51

Well i supose you could do it either way, it doesnt matter.
just means if anyone does manage to hack your database it makes it harder for them to get data.

# Posted By Jonny Shaw | 28/09/08 20:12

I can't think of a single good reason why anyone would want to store users' passwords in their database. Storing a hash is much more secure and offers reassurance to users. People tend to reuse the same password so an evil webmaster could access users' passwords and try to log in to their gmail, hotmail, ebay, paypal, etc, accounts. Of course users should use a different password for each website for their own sake.

# Posted By Gary Fenton | 28/09/08 20:20

how about storing login information? that has a users password?

# Posted By Jonny Shaw | 28/09/08 20:23

I think the point that Gary is trying to make, and it is a good one, is why does the Application need a reversible encryption of the password stored in the database? What possible need do you have for storing the password in a reversible fashion?

It actually does matter whether you store a password encrypted vs hashed. For the primary reason that encryption IS reversible. A hash is not. All a hacker needs to get at every single password in your database is that one encryption key(of course after compromising the DB).

Even for login information, there is no reason to store the password encrypted, if you store it hashed, then when the user tries to log in again, you hash their input, and compare it to the hash in the database. If they match, then the entered the correct password. There is never a reason to decrypt the users password.

Also, you should be salting your users passwords before hashing to defeat weak password, brute force attacks and Birthday/Rainbow table attacks.

# Posted By Jason Dean | 28/09/08 21:12

Although the 2 way encryption you describe is better than none at all I've got to say for the sake of any newbies reading this that I'd always opt for hash encryption and comparison in a production environment.

I recently had to recode an application that a junior developer had written because there were security holes everywhere of which he was unaware. He'd used 2 way encryption because he thought it would be useful to email a user their password if they forgot it. What he didn't consider was the insecure nature of email itself. IMHO it's far better to use hash encryption and send a user a temporary password if and when necessary.

# Posted By James Marshall | 30/09/08 17:06

I agree with Jason, and in one system I developed each user gets a unique salt assigned to them upon registration, and their password is salted then hashed and stored in the database. I have never seen a real valid reason that a system admin needs to be able to see a users password rather than re-setting it to a temporary value.

# Posted By Justice | 09/10/08 15:30

[Add Comment]

Encrypting Passwords

Archives By Subject

Recent Comments

Recent Entries