Pete Freitag Pete Freitag

Hash

coldfusion

After a long break in my series of the little enhancements in ColdFusion MX 7 (CFMX 7 Little Things), I am back today with another article, this time with the Hash function.

In versions of ColdFusion prior to 7, the Hash function used the MD5 algorithm to generate hash values. In version 7 you can specify which algorithm to use, and the new choices are:

  • SHA - Generates a 28 character hash string using the Secure Hash Standard SHA-1 algorithm
  • SHA-256 - Generates a 44 character hash string using the SHA-256 algorithm
  • SHA-384 - Generates a 64 character hash string using the SHA-384 algorithm
  • SHA-512 - Generates a 88 character hash string using the SHA-512 algorithm

Here's a code example that generates an 88 character hash, which is pretty large:

<cfoutput>#Hash("myPassword", "SHA-512")#</cfoutput>

CF 7 Also adds an encoding argument, which according to the docs:

Must be a character encoding name recognized by the Java runtime. The default value is the value specified by the defaultCharset entry in the neo-runtime.xml file, which is normally UTF-8

The Hash function is most commonly used as a one way encryption for passwords. If you don't want to store a users password in your database in plain text, you can store the Hash of the password. Then when the user logs in instead of comparing the password with a value from your database, you compare a Hash of the input password, with the Hash of the users password in the database.

There is no known way to reverse a hash, so if your user forgets their password, you cannot email it to them, you have to come up with another way to authenticate the user (secret questions is one good way), in order to reset the password.


Like this? Follow me ↯

Hash was first published on March 15, 2005.

If you like reading about cfml, coldfusion 7, or crypto then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

Comments

Note that in addition to the new hashes listed, you can still specify MD5 (which is the default) to use the same algorithm as prior versions of CF. It's helpful to be able to specify the default, because it will allow you to store the hash algorithm in the database for a given password, and then migrate passwords to a different hash algorithm as they are updated, for example.
by barneyb on 03/15/2005 at 5:19:49 PM UTC
Pete, One other thing to have developers consider is using a salt (a random string stored in an additional db column, and prepended to the password before hashing) along with the Hash. Salting the password before hashing it makes it virtually impossible to launch a successful dictionary style attack against the hashed password values stored in the database because an attacker would have to try all of the possible salt values for each hash value in their dictionary. For example, if you use a 12-character string consisting of upper case letters from A to Z, there are 26^12 possible salt combinations for each password.
by Rob Brooks-Bilson on 03/15/2005 at 5:42:05 PM UTC
Rob that is a great idea, i've never heard of that. The attacker would not necessarily even know if the hash had been salted. Thanks for the tip.
by Ryan Guill on 03/15/2005 at 6:46:40 PM UTC
Ryan, an attacker will know salt is being used, because they'll see the 'salt' column in the table. But that's fairly irrelevant, and may actually deter the attacker from continuing, because the chance of success is so greatly reduced.
by barneyb on 03/15/2005 at 6:57:58 PM UTC
I've been using randomly generated salt values (like Rob described) since CF5. If anyone would like a copy of the code I'd be happy to share it.
by Jeff Coughlin on 03/16/2005 at 10:35:25 AM UTC
Hey Jeff, I'd certainly be interested in knowing more! T
by Tony Brandner on 03/18/2005 at 2:31:17 PM UTC
Wayne, it would be more accurate to say that you can get potential values for the hash rather than say that you can reverse it. It's a small, but important difference.
by Keith Gaughan on 05/08/2005 at 8:32:07 PM UTC
I tried many different things, but sha1 results in 40 characters (I need the 28 you mention in your article). Any idea why this is and how to keep it to 28 characters?
by grietje on 12/13/2006 at 8:20:34 AM UTC
Hi Any one have the idea how to encode any string into 88 char ex ->input aa output QMVVmHphUFduLwH0nFj751jAyrZdghNUxcg0PPKuziuTja7ZE9tf5YO488ciQJ2Wee9cXE86SidVNkz2WmjKnw== Is this base 64 encription or SHA1? please hlep me out
by lalit on 12/18/2006 at 10:13:40 PM UTC