Richard, See my replies inline: On Dec 20, 2006, at 8:30 AM, Richard White wrote: 1) is this the best way to do it?
This entirely depends on your application. If you are protecting critical data, I would say hashing the password, alone or with a "salt" variable, is a good way to protect the passwords. Alternately, you can encrypt them. If you aren't protecting critical information, storing the passwords in plain text allows you to retreive them for the user so there is a tradeoff. 2) can anyone advice on the best hashing algorithm to use, or any advice on this matter? Also can anyone provide me with a very short piece of code to show me how to hash the password? <cfset passwordVar = hash(password)/> or <cfset passwordVar = hash (salt & password)/> (CF has it's own hash function) 3) seeing as we only have the hashed version of the password what happens if the user has forgotten their password? - do we have to reset their password to one that we know, get them to log on with it, and then ask them to change their password once they have logged on? Yes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create robust enterprise, web RIAs. Upgrade & integrate Adobe Coldfusion MX7 with Flex 2 http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:264563 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
