Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
encrypt password before submit
- Thread starter fpal
- Start date
If your purpose is to protect the password during transmission from the client to the server, that means you need to encode it on the client, but in a manner that you can reproduce on the server. ColdFusion's
function encrypts a string with the MD5 algorithm, and a JavaScript library to do the same on the client is available here:
MD5 is a one-way hash, meaning two identical strings will always yield the same hash, but it takes a very large amount of processing power to find the original string if all you have to work from is the resulting hash.
This is the way I would recommend doing it:[ul][li]Put some JS code in your page so that before the form is submitted, the value of the password field is MD5-encrypted.[/li]
[li]When you query the database for the password, compare the password's hash to the hashed password supplied in the form submission. If they match, the password was right.[/li][/ul]Keep in mind that hashing the password prevents someone who intercepts the traffic from knowing what the password really is, but you haven't really protected the application because intercepting the hashed password is just as good in terms of accessing the application in question. To truly protect secure communications, you MUST use SSL, which uses the much more secure public/private key infrastructure.
Code:
Hash()MD5 is a one-way hash, meaning two identical strings will always yield the same hash, but it takes a very large amount of processing power to find the original string if all you have to work from is the resulting hash.
This is the way I would recommend doing it:[ul][li]Put some JS code in your page so that before the form is submitted, the value of the password field is MD5-encrypted.[/li]
[li]When you query the database for the password, compare the password's hash to the hashed password supplied in the form submission. If they match, the password was right.[/li][/ul]Keep in mind that hashing the password prevents someone who intercepts the traffic from knowing what the password really is, but you haven't really protected the application because intercepting the hashed password is just as good in terms of accessing the application in question. To truly protect secure communications, you MUST use SSL, which uses the much more secure public/private key infrastructure.
- Status