Best Practice: Encrypt() vs hash() for password storing? Also, salt storing?

Report · Sep 10, 2009

I'm trying to expand my knowledge on security, reading many articles about the different methods to doing so. I've found the easiest two solutions to use, and that is Encrypt() and hash(). Here's how I'm using them -- I'm looking for which would be better security.

For both methods, I am using a salt.

With encrypt, this is all it takes:

Encrypt(password, salt);

With hash, i'm doing:

hash(password & salt, 'SHA-512', 'UTF-8' );

I can also loop the hash several times to give it more variation:

hashed = hash( password & salt, arguments.algorithm, 'UTF-8' );
for (i = 1; i LTE 1024; i=i+1) {
hashed = hash( hashed & salt, arguments.algorithm, 'UTF-8' );

}

So which method is going to be better protection if someone happened to come upon encrypted password information? Is there a better (free/built-in) method than what I've described?

Also, since both methods will require the original salt used, what's the best procedure for storing the salt? In another database? I've seen some examples store it as a Request variable in application.cfc, but that would allow anyone who has access to the code to see it.

Report · Sep 10, 2009

To me, the most significant difference between encrypt and hash is that you can decrypt the result of an encrypt, but you can't un-hash the result of a hash. The most appropriate method has to take your lost password strategy into account.

Report · Sep 10, 2009

Ok, I think I gotcha. Hash would be acceptable if the user is to just create a new password given from a link in an email. Encrypt would be more for emailing the user their lost password?

Anything I'm missing here?

Also, still looking for best practice in storing salts!

THANKS!!!!

Report · Sep 10, 2009

One consideration here: I would never return the user's previous password to them, I would change it to be a temporary one, make them use that to log in and then get them to reset it to something after that.

I would never encrypt a pwd, I would always hash it.

Mileage varies though: this is just another opinion for you to consider.

--

Adam

Report · Sep 11, 2009

Thanks for the lost-password tip. Is hash better because it's one-way? Or that it has a longer length?

Also, anyone dealing with salt storing, let's hear your solution

Report · Sep 11, 2009

Hash is more secure because it is one way. Whether that is better or worse is an matter of opinion and circumstances. I've only ever written one app where the situation came up, and I used hash. But I do intranet, and that app only has 3 or 4 users. If they forget their passwords, I'll update it myself and simply them what it is. They do have the option of changing it.