Re: Storing passwords in database as one way hash -The Solution

Wed, 18 Oct 2000 02:19:46 -0700 

on 10/18/00 6:43 PM, Neil Clark at [EMAIL PROTECTED] wrote:

> Okay, hash-ing the password seems to be an overkill - why not simply
> generate a random key which you can use with encrypt(form.password, key)
> this value can then be placed in the db along with the key...  when it comes
> to it, simply decrypt the form.password with the given key and you're away.
> If they don't match - see ya, if they do - cool. ;-)
> 
> People 'peeking' in your DB should never be a problem if it is set up
> correctly with security et al.....

But because you are providing the key anyone with access to the database and
a copy of ColdFusion can instantly decrypt all the passwords. The hash
method is far better because even if the database security is broken the
passwords are still secure.

-- 

Rob Keniger

big bang solutions

<mailto:[EMAIL PROTECTED]>
<http://www.bigbang.net.au>

------------------------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message 
with 'unsubscribe' in the body to [EMAIL PROTECTED]

Reply via email to