Password storage suggestions

Report · Sep 21, 2006

Good afternoon. I have several connections to different servers, using cfftp, cfldap, etc., where I need to pass username and passwords. I would like to store these authentication pairs in a database and then pull them out in the different applications. I know that I shouldn't store the passwords in plain text and that I can use hash to encrypt them. I also know that I can use encrypt and decrypt, but that hash is much better. My problem arises when I use hash though. I can insert the information into the database and use hash to encrypt the value of password. However, in the application, when I need to use the connection information, once I get the return from the database, it is hashed. How do I pass that information (unhashed) to the connection? Will my output (the hashed value) work? Any assistance is GREATLY appreciated. Thanks.

Chris

Report · Sep 21, 2006

Hash will not work for what you want to do.

Report · Sep 21, 2006

Thanks, Azadi.

Any other suggestions? Dan?

Thanks...Chris

Report · Sep 21, 2006

how about using encrypt() and decrypt() cf functions? i have not really used them myself in a case like this, so not sure if they can acomplish what you want...

Report · Sep 22, 2006

Encrypt the authentication pairs wit a common password. In order to prevent compromise of this common password, you could hash and store it. So all you need to do to is supply the common password, hash it, then compare it with the hash in the database. If they match, go ahead and decrypt the required pair with the common password, and if they dont...

That should help.

Report · Sep 22, 2006

The whole thing with hashing is that you "can't" reverse it: it's a one-way
encryption scheme. Obviously most/all hashing algorithms *can* be reverse
engineered, but that's not the intent.

What is the nature of the transactions you'll be performing with these FTP
and LDAP servers, and how are they initiated (eg: automatically / at user
request, etc).

--
Adam

Report · Sep 22, 2006

I appreciate all of your replies. Thanks for the ideas.

The operations are user-initiated and some of them are initiated via scheduled tasks. The FTP operations are usually gets and the LDAP operations are updates (updating attributes) and queries.

Thanks...Chris

Report · Sep 22, 2006

Given the requirement, I too reckon naijafan is onto the right approach.

--
Adam

Report · Sep 22, 2006

Thanks again, everyone. I'm using CFMX 6.1. naijafan, can you explain what you mean a little more, please? Thanks again.

Chris

Report · Sep 22, 2006

I think that naijafan has it right. His approach does not require a reverse hash. To create a new password, hash it and store it in the database. To authenticate a password, hash it and see if it's hashed value is in the database.

Report · Sep 22, 2006

The best way to do this is to NOT use a set seed key. Make sure it is dynamic below is the code that works the best. It is completely random and is extremely secure as it uses AES encyrption with a base encoding of UUEncode.

<cfscript>
theKey=generateSecretKey('AES');
encrypted=encrypt(Form.password, theKey, 'AES', 'UU');
</cfscript>

Use this to compare the passwords (stored and submitted during login):

<cfscript>
decrypted=decrypt(#PassAuth.PASSWORD#, #PassAuth.KEY#, 'AES', 'UU');
</cfscript>

The two variables come from a query PassAuth which pulls the key and password associated to the given username.

Furthermore, depending upon your database type, you can encrypt the tables and their column names to make it even more obscure.

Report · Sep 27, 2006

Again, I'm using CFMX 6.1. "generateSecretKey" is a function in version 7, right? Thanks.

Chris

Adobe Community

Password storage suggestions