Hash
After a long break in my series of the little enhancements in ColdFusion MX 7 (CFMX 7 Little Things), I am back today with another article, this time with the Hash function.
In versions of ColdFusion prior to 7, the Hash function used the MD5 algorithm to generate hash values. In version 7 you can specify which algorithm to use, and the new choices are:
- SHA - Generates a 28 character hash string using the Secure Hash Standard SHA-1 algorithm
- SHA-256 - Generates a 44 character hash string using the SHA-256 algorithm
- SHA-384 - Generates a 64 character hash string using the SHA-384 algorithm
- SHA-512 - Generates a 88 character hash string using the SHA-512 algorithm
Here's a code example that generates an 88 character hash, which is pretty large:
<cfoutput>#Hash("myPassword", "SHA-512")#</cfoutput>
CF 7 Also adds an encoding argument, which according to the docs:
Must be a character encoding name recognized by the Java runtime. The default value is the value specified by the defaultCharset entry in the neo-runtime.xml file, which is normally UTF-8
The Hash function is most commonly used as a one way encryption for passwords. If you don't want to store a users password in your database in plain text, you can store the Hash of the password. Then when the user logs in instead of comparing the password with a value from your database, you compare a Hash of the input password, with the Hash of the users password in the database.
There is no known way to reverse a hash, so if your user forgets their password, you cannot email it to them, you have to come up with another way to authenticate the user (secret questions is one good way), in order to reset the password.
Tweet
add to del.icio.usRelated Entries
- Strong Encryption Technote shows undocumented features - February 22, 2005
- ColdFusion 7 Strong Encryption - February 10, 2005
- CFFUNCTION and CFARGUMENT don't support new types in ColdFusion 7 - April 13, 2005
- CFTIMER - Little things in ColdFusion 7 - February 11, 2005
- cfdirectory adds recursive support - Little Things in CFMX 7 - February 10, 2005
Trackbacks
Comments
One other thing to have developers consider is using a salt (a random string stored in an additional db column, and prepended to the password before hashing) along with the Hash.
Salting the password before hashing it makes it virtually impossible to launch a successful dictionary style attack against the hashed password values stored in the database because an attacker would have to try all of the possible salt values for each hash value in their dictionary. For example, if you use a 12-character string consisting of upper case letters from A to Z, there are 26^12 possible salt combinations for each password.
I think hashing is a very good technique for making it more difficult for attackers to get data, but I've seen developers lean on this as a crutch thinking their passwords are safe. I'm not an alarmist, but hashing passwords is just one part of keeping your information safe. Monitoring your server, enforcing proper folder-level security, and a general understanding of how hackers perform their attacks is the best way to keep your data safe.
T
As an admin, it would behoove you to do something like this: "md5(Password & Salt) & Salt)" so that it is much more unlikely that your users' passwords are stored precomputed in a database someplace.
Any idea why this is and how to keep it to 28 characters?
Post a Comment
Recent Entries
- Firefox Aurora now Supports Content Security Policy 1.0
- Writing Secure CFML cfObjective 2013 Slides
- Upgrading to Java 7 on Linux
- J2EE Sessions in CF10 Uses Secure Cookies
- Learn about ColdFusion Security at cfObjective 2013
- Session Loss and Session Fixation in ColdFusion
- FuseGuard 2.3 Released
- CKEditor Spell Checker Plugin
