Best Practice: Encrypt() vs hash() for password storing? Also, salt storing?

Question

I'm trying to expand my knowledge on security, reading many articles about the different methods to doing so. I've found the easiest two solutions to use, and that is Encrypt() and hash(). Here's how I'm using them -- I'm looking for which would be better security.

For both methods, I am using a salt.

With encrypt, this is all it takes:

Encrypt(password, salt);

With hash, i'm doing:

hash(password & salt, 'SHA-512', 'UTF-8' );

I can also loop the hash several times to give it more variation:

hashed = hash( password & salt, arguments.algorithm, 'UTF-8' );
for (i = 1; i LTE 1024; i=i+1) {
hashed = hash( hashed & salt, arguments.algorithm, 'UTF-8' );

}

So which method is going to be better protection if someone happened to come upon encrypted password information? Is there a better (free/built-in) method than what I've described?

Also, since both methods will require the original salt used, what's the best procedure for storing the salt? In another database? I've seen some examples store it as a Request variable in application.cfc, but that would allow anyone who has access to the code to see it.

Dan_Bracuk · Answer

To me, the most significant difference between encrypt and hash is that you can decrypt the result of an encrypt, but you can't un-hash the result of a hash. The most appropriate method has to take your lost password strategy into account.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded