I believe CF7+ is extensible when it comes to encryption - MD5 and others are now available? Will need to check my CFWACK Advanced to be sure though.
Peter Tilbrook ColdGen Internet Solutions Manager, ACT and Region ColdFusion Users Group PO Box 2247 Queanbeyan, NSW, 2620 AUSTRALIA Phone: (02) 6284 2727 Mobile: 0432 897 437 Email: [EMAIL PROTECTED] WWW: http://www.coldgen.com/ http://www.actcfug.com -----Original Message----- From: Russ [mailto:[EMAIL PROTECTED] Sent: Thursday, 1 December 2005 2:22 AM To: CF-Talk Subject: RE: pseudo-memory leak Well turns out that CF uses MD5, which is a little different then LM hashes used for windows passwords. I just need to get (or generate) the Rainbow tables first, and then it should be a piece of cake. -----Original Message----- From: Robertson-Ravo, Neil (RX) [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 9:31 AM To: CF-Talk Subject: RE: pseudo-memory leak Seems like it is taking him a while ;-) -----Original Message----- From: Ryan Guill [mailto:[EMAIL PROTECTED] Sent: 29 November 2005 21:52 To: CF-Talk Subject: Re: pseudo-memory leak Ill give you another. Just to make sure its all kosher. Lets say a normal password string, could include numbers and letters, max length of 20, min length of 6. That should narrow it down some for you. No spaces either. 997DA8FE4C40296C21CE8E1EB9BDC5B6 On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > Well what kind of string am I working with? For all I know, you > could've hashed a whole book. Is there a length limit? (as there > would very likely be if this was a password) > > -----Original Message----- > From: Ryan Guill [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 29, 2005 4:36 PM > To: CF-Talk > Subject: Re: pseudo-memory leak > > Tell you what. See how long it takes you to brute force this hash. > Post the cleartext when you get it. > > 6AF59B04BA48B18C15E3CB3ACB2BA75B > > I want to see how long it takes you. > > On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > > The passwords in windows are stored as hashes. They are not stored > > as plaintext. In order to get the password, you would need to brute > > force the hash. > > > > Cracking windows passwords is an old idea with a great set of tools > > behind it. We are just using that knowledge to show that you > > shouldn't store passwords in cookies, hashed or not. > > > > As far as I understand it, if you store something as a client > > variable, there is no way for hacker to get at it (unless of course > > he somehow gets into your database server, in which case all bets > > are off). But if you store it as a cookie, it's much more > > vulnerable to foul > play. > > > > > > > > -----Original Message----- > > From: Ryan Guill [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, November 29, 2005 4:14 PM > > To: CF-Talk > > Subject: Re: pseudo-memory leak > > > > If you are an admin on the machine you could get the passwords even > > if they weren't in cookies! If someone ever puts in their password > > at all outside of ssl, you can sniff the password. If someone > > steals the SAM file, what does it matter where I store the password > > or how I hash it? > > > > what does that have to do with cookies vs client variables and the > > security impact of the two? > > > > On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > > > Not, really. There are different ways of getting hashes. One is > > > you can be an admin on the machine, and you can get the passwords > > > of all the > > users. > > > Another way is to sniff it going across the network. You can also > > > steal the SAM file and get the password that way. The point is, > > > you don't always need to have a login on the system (or physical > > > access to the machine) to get people's passwords off of it. > > > > > > -----Original Message----- > > > From: Robertson-Ravo, Neil (RX) > > > [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, November 29, 2005 3:22 PM > > > To: CF-Talk > > > Subject: RE: pseudo-memory leak > > > > > > LOL, isnt that just like saying - I can get into any computer > > > which is locked......if you give me the password? > > > > > > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225697 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
