Function Forum: Hash()

Password encryption is a key to many sites, from intranets to E-Commerce. ColdFusion has a few functions that do encryption in one form or another, but they all have a single flaw. If someone has hacked into your site and obtained the encrypted value, as well as the encryption key, they can reverse the process and find out a user's password. This is rather important, because most people keep using the same password from site to site. If you know their password on one site, you probably know it on a host of others.

A perfect solution to this would be to have the encrypted value of their password be a one-way encryption. In the past, this was done using a ColdFusion extension called CFX_Hash. This extension has proven to be rather useful for security. It must have gotten some supporters inside Allaire, as they've decided to incorporate the functionality of this extension into the core of ColdFusion.

The Hash() function will take any string value and turn it into a 32-bit encrypted string. This is a one-way encryption that will always return the same-sized results. The only problem with this function is that it is not documented in the ColdFusion 4.5 documentation.

Using some experimentation, I've compiled the following profile for the function. I'm not sure exactly how the encrypted value is generated, but I'm sure someone will tell me once they read this article.

<CFSET Test1=Hash(1)>
<CFSET Test2=Hash(2)>
<CFSET Test3=Hash(3)>
<CFSET Test4=Hash('a')>
<CFSET Test5=Hash('b')>
<CFSET Test6=Hash('Michael')>

<CFOUTPUT>
#Test1#<BR>
#Test2#<BR>
#Test3#<BR>
#Test4#<BR>
#Test5#<BR>
#Test6#<BR>
</CFOUTPUT>
		

• Subscribe
• RSS

• Editorial
• Specials
• Community
• News
• Tech and Tags
• Views
• Reviews
• Techniques
• Security
• Best of ColdFusion Talk
• Knowledge Base
• Blog Watch

• Tipical Charlie