password values you enter into the cfloginuser tag.
I think it's fair to say that's pretty weak.
The other function that uses pretty weak encryption is cfusion_encrypt().
If you need to encrypt stuff, encrypt() will usually do the trick, but I've
found that it helps to use urlEncode() on the result so you don't have to
worry about spaces being trimmed when storing or passing the value around.
Off the top of my head I don't know exactly how it works internally, but I'm
pretty sure it's hard to break without the key.
Spike
--------------------------------------------
Stephen Milligan
Code poet for hire
http://www.spike.org.uk
Do you cfeclipse? http://cfeclipse.tigris.org
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Dave Watts
>Sent: Saturday, July 31, 2004 11:28 AM
>To: CF-Talk
>Subject: RE: Blackstone Presentation
>
>> Many in our audience let the encryption part pass right on
>> by, but I think it is important to know that a much stronger
>> encryption for CFLOGIN and CFENCRYPT will be much stronger
>> than the old very weak hash function. Very important for
>> storing credit card info and passwords. as well as being able
>> to encrypt your code.
>
>The current hash function isn't very weak. It's your typical
>MD5 hash, which
>is good enough for hashing (which isn't the same as encryption). As for
>CFLOGIN, I'm not sure what's wrong with that, either - I haven't seen
>anything dissecting the login cookie values.
>
>Dave Watts, CTO, Fig Leaf Software
>http://www.figleaf.com/
>phone: 202-797-5496
>fax: 202-797-5444
>
>
>
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
