Thanks for the help guys > Hi, > > We store user passwords as a hash value with a salt phrase using CF. > However, we have recently had a penetration test done on our servers > and they have advised that when the password gets sent to the server, > the actual password gets stored in the browser memory. They have > suggested adding the salt phrase and hashing using javascript before > we send it to the server. > > However, I am wondering: > > 1) is this best practise as if the salt phrase is contained within > Javascript it will be easy for anyone to see what it is > 2) if this is best practise then how can i obfuscate the salt phrase > and also is there a JS equivalent to coldfusions SHA-512 hash > function? > > Many thanks, > Richard
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357633 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
