When sharing hosting on a less-than-secure server, I enhanced the security of the passwords in my source code by writing simple java classes that return the password hardcoded within. The classes were written so that they would only run in code calling them from the correct directory on the server (i.e. if someone else tried to run the class it returned nothing) and this was independent of CF sandboxing. I loaded the classes dynamically, so they were never in the CF classpath.
It isn't perfect, since decompiling the class would get the password, but if someone is in a position to do that then they can also decompile CF and get the encryption/decryption keys for datasource passwords (and compromise the enhancement that has been talked about in this thread too). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:223752 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

