Re: Adding Salt and Password Hash to existing acocunts
Eric, in your hashing code did you ever add iterations in SQL? If so, do you have any code samples? I've been playing around lately with hashing via both SQL Server 2008 and CF. The following should give you the same results in both: cfset hashpwd = hash(pwd uuid,SHA-1 ) SET @pwdHash = CONVERT(VARCHAR(40),HashBytes('SHA1', @pwd + @UUID),2) My understanding is, SQL Server 2012 is the only version that currently supports SHA512. Thanks, Eric Cobb http://www.cfgears.com In the example it was a hardcoded string for the salt. 'mySalt'. you'd just replace that with whatever you intend to use. I haven't used SHA512 this way. I only did it the way I did so there was an equivalent method in CF to generate the same hash. You'd have to play around with generating SHA512 hashes in TSQL and make sure you are also able to generate that same hash in CF (assuming you will be doing your hashing in CF at all before sending to the database). You can do as many iterations of the salt as you want I suppose. If I was going to hash multiple times, I'd salt them all. On 3/11/13 9:05 AM, Torrent Girl moniqueb...@gmail.com wrote: SHA512 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355332 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
Torrent Girl wrote: Did you have a problem with timeouts or out of memory errors? I have quite a bit of records A loop like that shouldn't have any issues. Now, with that said I haven't used generateSecretKey() for generating salt. Wouldn't surprise me a bit if it was resource-intensive. Personally I always used createUUID() to salt my records. In fact, I make it a practice on general principles to keep an indexed UUID-containing field in every table and find it often comes in handy for a variety of things. Years ago I wrote up a system called AccessMonger. The Lite version is free and still on the Exchange http://www.adobe.com/cfusion/exchange/index. cfm?event=extensionDetailloc=en_usextid=1002753 It does all the stuff you are talking about. Stores salted, hashed pwds, supports pwd expiry and automated warnings (your pwd will expire in 10 days, change it or perish in flames), has user-driven password reset (not recovery) via hint/answer etc. Its old code but it works and if nothing else will give you a feature set and basis to write up your own system. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase. com wow thanks. checking this out now ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355241 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
I've been playing around lately with hashing via both SQL Server 2008 and CF. The following should give you the same results in both: cfset hashpwd = hash(pwd uuid,SHA-1 ) SET @pwdHash = CONVERT(VARCHAR(40),HashBytes('SHA1', @pwd + @UUID),2) My understanding is, SQL Server 2012 is the only version that currently supports SHA512. Thanks, Eric Cobb http://www.cfgears.com In the example it was a hardcoded string for the salt. 'mySalt'. you'd just replace that with whatever you intend to use. I haven't used SHA512 this way. I only did it the way I did so there was an equivalent method in CF to generate the same hash. You'd have to play around with generating SHA512 hashes in TSQL and make sure you are also able to generate that same hash in CF (assuming you will be doing your hashing in CF at all before sending to the database). You can do as many iterations of the salt as you want I suppose. If I was going to hash multiple times, I'd salt them all. On 3/11/13 9:05 AM, Torrent Girl moniqueb...@gmail.com wrote: SHA512 Thanks. Is there any benefit to using SHA512 over anything else? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354937 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
Torrent Girl moniqueb...@gmail.com wrote: Thanks. Is there any benefit to using SHA512 over anything else? What is the risk profile of the site? What regulations do you have to meet if any? i.e., FIPS-140-2? http://en.wikipedia.org/wiki/FIPS_140 http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf What does it cost to use higher level encryption? (Probably very little) Any reason not to use the best encryption? (Probably not with modern systems) MD5 should not be used. Use SHA-512 -- LinkedIn: http://www.linkedin.com/pub/roger-austin/8/a4/60 Twitter: http://twitter.com/RogerTheGeek Google+: https://plus.google.com/117357905892731200369 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354941 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
Password expirations would definitely be the way I would have gone with this. If I didn't have that option id probably just hash them all with a single update statement in SQL Server rather than involving CF at all. update userTable set passwordColumn = right(master.dbo.fn_varbintohexstr(hashBytes('MD5', cast(passwordColumn + 'mySalt' as nvarchar(max,32) Then, to convert a submitted password to that in CF, lcase(hash(passwordString 'mySalt', 'MD5', 'UTF-16LE')) On 3/7/13 3:00 PM, Roger Austin raust...@nc.rr.com wrote: Thank you. I think I am going to take the SQL route. A few questions on your script. 1. How/where did you set the salt value? 2. Can I do multiple iterations of the salt? 3. Why MD5 and not SHA512? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354922 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
In the example it was a hardcoded string for the salt. 'mySalt'. you'd just replace that with whatever you intend to use. I haven't used SHA512 this way. I only did it the way I did so there was an equivalent method in CF to generate the same hash. You'd have to play around with generating SHA512 hashes in TSQL and make sure you are also able to generate that same hash in CF (assuming you will be doing your hashing in CF at all before sending to the database). You can do as many iterations of the salt as you want I suppose. If I was going to hash multiple times, I'd salt them all. On 3/11/13 9:05 AM, Torrent Girl moniqueb...@gmail.com wrote: SHA512 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354924 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
I've been playing around lately with hashing via both SQL Server 2008 and CF. The following should give you the same results in both: cfset hashpwd = hash(pwd uuid,SHA-1 ) SET @pwdHash = CONVERT(VARCHAR(40),HashBytes('SHA1', @pwd + @UUID),2) My understanding is, SQL Server 2012 is the only version that currently supports SHA512. Thanks, Eric Cobb http://www.cfgears.com From: Bobby bo...@acoderslife.com Sent: Monday, March 11, 2013 11:04 AM To: cf-talk cf-talk@houseoffusion.com Subject: Re: Adding Salt and Password Hash to existing acocunts In the example it was a hardcoded string for the salt. 'mySalt'. you'd just replace that with whatever you intend to use. I haven't used SHA512 this way. I only did it the way I did so there was an equivalent method in CF to generate the same hash. You'd have to play around with generating SHA512 hashes in TSQL and make sure you are also able to generate that same hash in CF (assuming you will be doing your hashing in CF at all before sending to the database). You can do as many iterations of the salt as you want I suppose. If I was going to hash multiple times, I'd salt them all. On 3/11/13 9:05 AM, Torrent Girl moniqueb...@gmail.com wrote: SHA512 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354926 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
Did you have a problem with timeouts or out of memory errors? I have quite a bit of records You have a couple of options. First, you could simply increase the timeout for the script using the appropriate CF command. cfsetting enabletimeout=some larger number goes here Second, you could write a paging mechanism to only do this with n records, then invoke the script again for the next n after the first iteration has completed. Third, you could rewrite the whole thing as a stored procedure. Updating each record individually from CF is the least-efficient way to make a global change to your database. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354909 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
Torrent Girl moniqueb...@gmail.com wrote: Did you have a problem with timeouts or out of memory errors? I have quite a bit of records This is why I suggested that you pre-expire everyone and have them update their credentials on next log in. It spreads out the load and you have to have the code anyway. You might check for a blank password field and then send them to change their password to the new salted hash version. Then, blank out the password field at the same time. -- LinkedIn: http://www.linkedin.com/pub/roger-austin/8/a4/60 Twitter: http://twitter.com/RogerTheGeek Google+: https://plus.google.com/117357905892731200369 Thanks Roger. It looks like I am going to have to do this because I keep getting time outs. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354910 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
Torrent Girl wrote: Did you have a problem with timeouts or out of memory errors? I have quite a bit of records A loop like that shouldn't have any issues. Now, with that said I haven't used generateSecretKey() for generating salt. Wouldn't surprise me a bit if it was resource-intensive. Personally I always used createUUID() to salt my records. In fact, I make it a practice on general principles to keep an indexed UUID-containing field in every table and find it often comes in handy for a variety of things. Years ago I wrote up a system called AccessMonger. The Lite version is free and still on the Exchange http://www.adobe.com/cfusion/exchange/index.cfm?event=extensionDetailloc=en_usextid=1002753 It does all the stuff you are talking about. Stores salted, hashed pwds, supports pwd expiry and automated warnings (your pwd will expire in 10 days, change it or perish in flames), has user-driven password reset (not recovery) via hint/answer etc. Its old code but it works and if nothing else will give you a feature set and basis to write up your own system. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354911 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
Here you go. Cfquery name=GetUserPasswords select memberid, password from users /cfquery cfoutput#getUserPasswords.RecordCount#/cfoutput!---Just to see how many we have --- Cfset salt = ''/ cfset newpassword = ''/ Cfset count = 0/ cfloop query=GetUserPasswords cfset salt = generateSecretKey(DESEDE )/ Cfset newpassword = hash( hash(password[currentrow]) user.salt,SHA-256,us-ascii)/ cfquery name=updateUser UPdate users set password = '#user.password#', salt = '#user.salt#' where memberid = '#memberid[currentrow]#' /cfquery Cfset salt= ''/ cfset newpassword = ''/ Cfset count = count +1/ /cfloop and we changed cfoutput#count#/cfoutput Again, you will want to change one account and test it to make sure that your login routine will validate the password and login the user. Then you can just run this on the whole table, no muss no fuss. You won't have to make the users change anything, their passwords will just be secure. You will also have to come up with a Forgot Password routine, since the passwords are irretrievable. Cheers, Rob Thank you! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354872 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
I suggest adding a new bit flag column to the table and only update records that have that flag set to 0. The password update query could set that flag to 1 so if you accidentally run that template twice, you don't hash and salt salted hashes. Step 1, back up the database. On 3/7/13 11:02 AM, Torrent Girl moniqueb...@gmail.com wrote: Here you go. Cfquery name=GetUserPasswords select memberid, password from users /cfquery cfoutput#getUserPasswords.RecordCount#/cfoutput!---Just to see how many we have --- Cfset salt = ''/ cfset newpassword = ''/ Cfset count = 0/ cfloop query=GetUserPasswords cfset salt = generateSecretKey(DESEDE )/ Cfset newpassword = hash( hash(password[currentrow]) user.salt,SHA-256,us-ascii)/ cfquery name=updateUser UPdate users set password = '#user.password#', salt = '#user.salt#' where memberid = '#memberid[currentrow]#' /cfquery Cfset salt= ''/ cfset newpassword = ''/ Cfset count = count +1/ /cfloop and we changed cfoutput#count#/cfoutput Again, you will want to change one account and test it to make sure that your login routine will validate the password and login the user. Then you can just run this on the whole table, no muss no fuss. You won't have to make the users change anything, their passwords will just be secure. You will also have to come up with a Forgot Password routine, since the passwords are irretrievable. Cheers, Rob Thank you! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354874 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
Here you go. Cfquery name=GetUserPasswords select memberid, password from users /cfquery cfoutput#getUserPasswords.RecordCount#/cfoutput!---Just to see how many we have --- Cfset salt = ''/ cfset newpassword = ''/ Cfset count = 0/ cfloop query=GetUserPasswords cfset salt = generateSecretKey(DESEDE )/ Cfset newpassword = hash( hash(password[currentrow]) user.salt,SHA-256,us-ascii)/ cfquery name=updateUser UPdate users set password = '#user.password#', salt = '#user.salt#' where memberid = '#memberid[currentrow]#' /cfquery Cfset salt= ''/ cfset newpassword = ''/ Cfset count = count +1/ /cfloop and we changed cfoutput#count#/cfoutput Again, you will want to change one account and test it to make sure that your login routine will validate the password and login the user. Then you can just run this on the whole table, no muss no fuss. You won't have to make the users change anything, their passwords will just be secure. You will also have to come up with a Forgot Password routine, since the passwords are irretrievable. Cheers, Rob Hi Rob Did you have a problem with timeouts or out of memory errors? I have quite a bit of records ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354876 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
I did not have any time out issues. I'd do what Bobby suggests and add the flag, that way a timeout doesn't kill what you had accomplished. I'm presuming you are doing this in a dev environment, so you can always increase your timeout times so that it runs. Cheers, Rob On 2013-03-07 12:58 PM, Torrent Girl moniqueb...@gmail.com wrote: Here you go. Cfquery name=GetUserPasswords select memberid, password from users /cfquery cfoutput#getUserPasswords.RecordCount#/cfoutput!---Just to see how many we have --- Cfset salt = ''/ cfset newpassword = ''/ Cfset count = 0/ cfloop query=GetUserPasswords cfset salt = generateSecretKey(DESEDE )/ Cfset newpassword = hash( hash(password[currentrow]) user.salt,SHA-256,us-ascii)/ cfquery name=updateUser UPdate users set password = '#user.password#', salt = '#user.salt#' where memberid = '#memberid[currentrow]#' /cfquery Cfset salt= ''/ cfset newpassword = ''/ Cfset count = count +1/ /cfloop and we changed cfoutput#count#/cfoutput Again, you will want to change one account and test it to make sure that your login routine will validate the password and login the user. Then you can just run this on the whole table, no muss no fuss. You won't have to make the users change anything, their passwords will just be secure. You will also have to come up with a Forgot Password routine, since the passwords are irretrievable. Cheers, Rob Hi Rob Did you have a problem with timeouts or out of memory errors? I have quite a bit of records ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354877 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
Did you have a problem with timeouts or out of memory errors? I have quite a bit of records You have a couple of options. First, you could simply increase the timeout for the script using the appropriate CF command. cfsetting enabletimeout=some larger number goes here Second, you could write a paging mechanism to only do this with n records, then invoke the script again for the next n after the first iteration has completed. Third, you could rewrite the whole thing as a stored procedure. Updating each record individually from CF is the least-efficient way to make a global change to your database. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354878 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
First, you could simply increase the timeout for the script using the appropriate CF command. cfsetting enabletimeout=some larger number goes here Oops, I meant: cfsetting requesttimeout=some larger number goes here Also, this won't address memory prolblems, just timeouts. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354879 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
Torrent Girl moniqueb...@gmail.com wrote: Did you have a problem with timeouts or out of memory errors? I have quite a bit of records This is why I suggested that you pre-expire everyone and have them update their credentials on next log in. It spreads out the load and you have to have the code anyway. You might check for a blank password field and then send them to change their password to the new salted hash version. Then, blank out the password field at the same time. -- LinkedIn: http://www.linkedin.com/pub/roger-austin/8/a4/60 Twitter: http://twitter.com/RogerTheGeek Google+: https://plus.google.com/117357905892731200369 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354880 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
Password expirations would definitely be the way I would have gone with this. If I didn't have that option id probably just hash them all with a single update statement in SQL Server rather than involving CF at all. update userTable set passwordColumn = right(master.dbo.fn_varbintohexstr(hashBytes('MD5', cast(passwordColumn + 'mySalt' as nvarchar(max,32) Then, to convert a submitted password to that in CF, lcase(hash(passwordString 'mySalt', 'MD5', 'UTF-16LE')) On 3/7/13 3:00 PM, Roger Austin raust...@nc.rr.com wrote: Torrent Girl moniqueb...@gmail.com wrote: Did you have a problem with timeouts or out of memory errors? I have quite a bit of records This is why I suggested that you pre-expire everyone and have them update their credentials on next log in. It spreads out the load and you have to have the code anyway. You might check for a blank password field and then send them to change their password to the new salted hash version. Then, blank out the password field at the same time. -- LinkedIn: http://www.linkedin.com/pub/roger-austin/8/a4/60 Twitter: http://twitter.com/RogerTheGeek Google+: https://plus.google.com/117357905892731200369 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354882 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
When I performed this same task a few months ago, I basically wrote a page that did all the salting and updating as a loop. Obviously I had decided on the actual process for login and tested it to make sure it worked. I just increased the size of the password column, added a salt column and ran all users through the salting processing page. I can find the code if you are interested. Rob On 2013-03-05 7:15 AM, Torrent Girl moniqueb...@gmail.com wrote: Rob that would be GREAT. Thank you ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354851 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
Here you go. Cfquery name=GetUserPasswords select memberid, password from users /cfquery cfoutput#getUserPasswords.RecordCount#/cfoutput!---Just to see how many we have --- Cfset salt = ''/ cfset newpassword = ''/ Cfset count = 0/ cfloop query=GetUserPasswords cfset salt = generateSecretKey(DESEDE )/ Cfset newpassword = hash( hash(password[currentrow]) user.salt,SHA-256,us-ascii)/ cfquery name=updateUser UPdate users set password = '#user.password#', salt = '#user.salt#' where memberid = '#memberid[currentrow]#' /cfquery Cfset salt= ''/ cfset newpassword = ''/ Cfset count = count +1/ /cfloop and we changed cfoutput#count#/cfoutput Again, you will want to change one account and test it to make sure that your login routine will validate the password and login the user. Then you can just run this on the whole table, no muss no fuss. You won't have to make the users change anything, their passwords will just be secure. You will also have to come up with a Forgot Password routine, since the passwords are irretrievable. Cheers, Rob On Wed, Mar 6, 2013 at 9:33 AM, Torrent Girl moniqueb...@gmail.com wrote: When I performed this same task a few months ago, I basically wrote a page that did all the salting and updating as a loop. Obviously I had decided on the actual process for login and tested it to make sure it worked. I just increased the size of the password column, added a salt column and ran all users through the salting processing page. I can find the code if you are interested. Rob On 2013-03-05 7:15 AM, Torrent Girl moniqueb...@gmail.com wrote: Rob that would be GREAT. Thank you ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354852 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Adding Salt and Password Hash to existing acocunts
Hello all I am implementing salt/password hash to an application that is being redeveloped. Adding salt/hash to newly created accounts is going well but of course there are hundreds of existing accounts. What would be the best practice for adding salt/hash to all of the existing records? Thanks in advance. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354807 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
Torrent Girl moniqueb...@gmail.com wrote: Hello all I am implementing salt/password hash to an application that is being redeveloped. Adding salt/hash to newly created accounts is going well but of course there are hundreds of existing accounts. What would be the best practice for adding salt/hash to all of the existing records? Do you have a password reset routine? If so, convert that to the salted hash and force everyone to change their password at the next session. -- LinkedIn: http://www.linkedin.com/pub/roger-austin/8/a4/60 Twitter: http://twitter.com/RogerTheGeek Google+: https://plus.google.com/117357905892731200369 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354810 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
When I performed this same task a few months ago, I basically wrote a page that did all the salting and updating as a loop. Obviously I had decided on the actual process for login and tested it to make sure it worked. I just increased the size of the password column, added a salt column and ran all users through the salting processing page. I can find the code if you are interested. Rob On 2013-03-05 7:15 AM, Torrent Girl moniqueb...@gmail.com wrote: Hello all I am implementing salt/password hash to an application that is being redeveloped. Adding salt/hash to newly created accounts is going well but of course there are hundreds of existing accounts. What would be the best practice for adding salt/hash to all of the existing records? Thanks in advance. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354811 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
When I performed this same task a few months ago, I basically wrote a page that did all the salting and updating as a loop. Obviously I had decided on the actual process for login and tested it to make sure it worked. I just increased the size of the password column, added a salt column and ran all users through the salting processing page. I can find the code if you are interested. This would imply that you're storing the user's plaintext passwords which defeats the whole point of hashing them (e.g. you add the salt to the password before you run the hash alogrithm [e.g. hash(pw+salt) ]). The only way to add salt to the hash after the fact is if you have the plaintext passwords. This is why adding salt after accounts are established is hard, you have to wait for people to log in again to get the plaintext password to work with. If you just appended a salt value to the end of the hash value stored in the database (e.g. hash(pw)+salt) then it is not adding any additional security. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354821 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
On 3/5/2013 7:15 AM, Torrent Girl wrote: Hello all I am implementing salt/password hash to an application that is being redeveloped. Adding salt/hash to newly created accounts is going well but of course there are hundreds of existing accounts. What would be the best practice for adding salt/hash to all of the existing records? A field for PasswordExpiration or MustResetPassword in the database is helpful for this and other things. You can check on login to see if it is set and force a password change. I've used both in different situations. That way, you can force the issue once you have your salt-hash function set up. -- LinkedIn: http://www.linkedin.com/pub/8/a4/60 Twitter: http://twitter.com/RogerTheGeek Google+: https://plus.google.com/117357905892731200369 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354824 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
I guess I didn't make myself clear. I wrote a routine that salted and hashed all of the plain text passwords that were in the system. It was a simple routine that only needed to run once. There was no inconvenience to the users, as their passwords didn't change, they just were secure from anyone else accessing them. I guess the question becomes, is, can you take the site off line for an 20 minutes to run the routine and update your login security to be based on salts and hashes? Cheers, Rob On Tue, Mar 5, 2013 at 1:29 PM, Roger Austin raust...@nc.rr.com wrote: On 3/5/2013 7:15 AM, Torrent Girl wrote: Hello all I am implementing salt/password hash to an application that is being redeveloped. Adding salt/hash to newly created accounts is going well but of course there are hundreds of existing accounts. What would be the best practice for adding salt/hash to all of the existing records? A field for PasswordExpiration or MustResetPassword in the database is helpful for this and other things. You can check on login to see if it is set and force a password change. I've used both in different situations. That way, you can force the issue once you have your salt-hash function set up. -- LinkedIn: http://www.linkedin.com/pub/8/a4/60 Twitter: http://twitter.com/RogerTheGeek Google+: https://plus.google.com/117357905892731200369 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354832 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
I guess I didn't make myself clear. I wrote a routine that salted and hashed all of the plain text passwords that were in the system. Ah, that is a good thing then. I took it that you were adding salts to an existing hash like the original poster. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354846 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
The original poster never said they were adding salts to existing hashes. They laid out the same scenario of converting plaintext passwords to salted hashes. On 3/5/13 7:06 PM, Justin Scott leviat...@darktech.org wrote: I guess I didn't make myself clear. I wrote a routine that salted and hashed all of the plain text passwords that were in the system. Ah, that is a good thing then. I took it that you were adding salts to an existing hash like the original poster. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354847 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
The original poster never said they were adding salts to existing hashes. They laid out the same scenario of converting plaintext passwords to salted hashes. I'm just on a roll of misreading today. When she said adding salt my brain stopped there and didn't register the /hash after that. Coffee. Yes, more coffee is the solution. Coffee shall make it all better. :) -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354848 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm