I recently discovered this when I signed up for lastpass and it shows you all the login details stored in your browser and i'm quite sure most these I have not intentionally saved. So if lastpass can do it, then any web app can do it. This is interesting reading: http://raidersec.blogspot.co.uk/2013/06/how-browsers-store-your-passwords-and.html
Hash is a one way process btw, you cannot un-hash something. However you can use rainbow tables to find the original string that was hashed, so if people use crappy passwords then they are still hackable using this method. So enforcing strong passwords is really a requirement these days. the best solution is to randomly generate long pass phrases and then encourage users to use a password manager such as lastpass. this may help also: http://stackoverflow.com/questions/1240852/is-it-possible-to-decrypt-md5-hashes On Fri, Feb 7, 2014 at 1:37 PM, Richard White <[email protected]> wrote: > > Hi, > > We store user passwords as a hash value with a salt phrase using CF. > However, we have recently had a penetration test done on our servers and > they have advised that when the password gets sent to the server, the > actual password gets stored in the browser memory. They have suggested > adding the salt phrase and hashing using javascript before we send it to > the server. > > However, I am wondering: > > 1) is this best practise as if the salt phrase is contained within > Javascript it will be easy for anyone to see what it is > 2) if this is best practise then how can i obfuscate the salt phrase and > also is there a JS equivalent to coldfusions SHA-512 hash function? > > Many thanks, > Richard > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357612 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
