Decrypted password hassle

Get Started
1

I insert passwords Encrypted in a members table:

Application.cfc holds:


<cfset Request.PasswordKey = "L2OIhfkjsyIJHK23jhfkuIYU">

Insert query:


<cfset Encrypted = Encrypt(Form.member_password, Request.PasswordKey)> 
<cfquery name="addAdmin" datasource="#Form.data_source_name#">
  INSERT INTO
        members
        (
        member_password
        )
  VALUES
        (
        <cfqueryparam cfsqltype="cf_sql_varchar" value="#Trim( Encrypted )#" />
        )      
</cfquery>

login_check.cfm:


<cfset Encrypted = Encrypt(Form.Password, Request.PasswordKey)> 
<cfquery name="checkDetails" datasource="#Application.dsn#">
  SELECT 
      member_id
    , member_username
    , member_password
  FROM 
      members
  WHERE 
      member_username = <cfqueryparam cfsqltype="cf_sql_varchar" value="#Trim( Form.Username )#" /> 
  AND 
      member_password = <cfqueryparam cfsqltype="cf_sql_varchar" value="#Encrypted#"> )
</cfquery>

The insert works but when I try to login I get the error variable I declared in login_check.cfm:


<cfif Not checkDetails.recordCount>
<cfset variables.errorMessage = "The password you provided for <b>" & FORM.Username & "</b> is not right.">
</cfif>

When I use <cfdump> along with Decrypt to check the password, it gives me the password I try to login with! What can be the reason?

Thank you in advance!

2

I’m kinda confused.

If you told it to <cfdump var=“#decrypt( checkDetails.password, request.PasswordKey )#” /> then you WOULD get the password each and everytime. If the password you enter was incorrect, the above would still give you the password, since you didn’t change the first attribute with the value that was provided.

Also, you don’t want to ever tell someone “The password for username: XXX is wrong” If they don’t get the password/username combo right, don’t hint that there is even a username with what was provided; just say “The credentials provided are incorrect” (or something to that effect)

3

I know what you say aaron, but to test it I used just three letters as password. I can maybe type that one time wrong, but not each time. Anyway, I couldn’t figure what the reason was so I switched to use Hash instead, and that is working fine now!

By the way thank you for your suggestion about the error message !

4

That’s odd. I just ran this code to make sure, and when it dumps the value for the ‘dec’ variable, sure enough it’s ‘password’.


<cfset request.passwordKey = "kjq239uraisjklqw398ur23" />
<cfset enc = encrypt( 'password', request.passwordKey ) />
<cfdump var="encrypted - #enc#" />
<cfset dec = decrypt( enc, request.passwordKey ) />
<cfdump var="decrypted - #dec#" />
<cfabort />

When we have this issue with co-workers, and the above doesn’t seem to work, we have them check on alternate things which may be interfering with what we both know should be working.

Hash is good, but of course, it’s one way. :slight_smile:

5

Hi aaron
For sure I want to figure this out, but I didn’t/don’t have the time! I have to deliver tomorrow, and I’m in the last stages. These things can really break you up at times. In earlier years I wouldn’t have stopped looking, before I new what the reason was, but hey the rent have to be paid as well. So like I said, I will come back to this and keep you informed about what the cause is/was!

Thanks for the support

6

No prob; I understand if you have a deadline. If you do figure it out down the line, let us know :slight_smile: