CFFTP, CFLDAP and securing passwords

Report · Jan 31, 2008

Good afternoon. I have several applications which use tags such as CFFTP and CFLDAP. These applications do not prompt for user input, but rather automatically supply the application with the username and password required from a DB lookup. Currently, the passwords are stored in plain text in the DB (SQL 2K)...yes, I know...HORRIBLE!!! How do I secure these passwords or at least secure passing the passwords to the tags, so that they are not in plain text? Since I am automatically supplying these passwords, I can't use salting and hashing, right? Your expedient assistance is greatly appreciated. Thank you.

Chris

Report · Feb 04, 2008

Hi Chris,

You should really be storing your passwords with a one-way hash in your database but that won't help with the SFTP problem. If you are using SFTP the passwords are not sent to the server in plain text anyway, the only difference is that you are giving it over to the sftp tag from a query column, which is in plain text anyway. If I understand correctly you would want to retrieve the usernam and password from the database, encrypt the password, pass the username, password and encryption key to a function that would then unencrypt the password and pass it to the SFTP tag? You have to give an unencrypted password to the tag since I imagine the password on the server is also not encrypted.

That seems like a lot of overhead for absolutely no increase in security.

Report · Feb 06, 2008

Thanks for the reply, Gary. So, if I do store the password in the database in a one-way hash, how would I decrypt it to pass it to the tag? I guess that's the meat of my question. I don't want to show the password in the db nor in the CF code in plain text. Thanks.

Adobe Community

CFFTP, CFLDAP and securing passwords