Before CF7, the built in hash function is MD5. So there's no difference really. In CF7 the hash function is a lot more capable and can do SHA and other more secure variants.
There's a lot more you can do besides hashing stored passwords if you're forced to use a non-SSL connection, such as using javascript to do challenge-response authentication (CHAP). A good resource on this technique: http://pajhome.org.uk/crypt/md5/chaplogin.html I have a CFC-based framework that accomplishes a lot of this that I might release sometime in the future. /kam -----Original Message----- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Thursday, April 07, 2005 6:49 AM To: CF-Talk Subject: RE: Password management Best Practices Probably just ignorance. Can someone more familiar with both explain the difference? -----Original Message----- From: Kerry just wondering: is there any particular reason why you dont just use CF's built in hash() function? -----Original Message----- From: Andy Ousterhout I use MD5 hash available on http://www.cflib.org. When someone forgets a password, I email them a temporary password that must be changed immediately upon use. I also email them whenever anything on their profile, including password, is changed. When someone calls in, we do the same thing on their behalf. No one but the User ever sees their password Andy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:201900 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
