Hi, We store user passwords as a hash value with a salt phrase using CF. However, we have recently had a penetration test done on our servers and they have advised that when the password gets sent to the server, the actual password gets stored in the browser memory. They have suggested adding the salt phrase and hashing using javascript before we send it to the server.
However, I am wondering: 1) is this best practise as if the salt phrase is contained within Javascript it will be easy for anyone to see what it is 2) if this is best practise then how can i obfuscate the salt phrase and also is there a JS equivalent to coldfusions SHA-512 hash function? Many thanks, Richard ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357608 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
