Yes, encrypting user passwords in the database *should* seem like a no-brainer to all of us. And yet we still see major sites exposed, caught with their developmental pants about their ankles:

http://www.techcrunch...

"Rockyou is a crappy social media widget maker," I hear you say, "so what? What did the hackers really get?"

Unfortunately, probably quite a bit. Do you use the same password on more than one site? It's pretty common and it makes things easy to remember, right? The *problem* is that it only takes one site to expose that password in plain text in their database and now your logins across *every* site have the potential to be compromised. See the coverage of Twitter hacking that occurred over this summer ( http://www.techcrunch... ):

---

"Each new service that a user signs up for creates a management overhead that collapses quickly into a common dirty habit of using simple passwords, everywhere. At that point, the security of that user’s entire online identity is only as strong as the weakest application they use – which often is to say, very weak.

"... Twitter just happens to be one of a number of a new breed of companies where almost the entire business exists online. Each of these employees, as part of their work, share data with other employees – be it through a feature of a particular application or simply through email. As these users become interwoven, it adds a whole new attack vector whereby the weak point in the chain is no longer just the weakest application – it is the weakest application used by the weakest user. For an attacker such as Hacker Croll looking to exploit the combination of bad user habit, poorly implemented features and users mixing their personal and business data – his chances of success just got exponentially greater. Companies that are heavily web based rely largely on users being able to manage themselves – the odds are not only stacked against Twitter, they are stacked against most companies adopting this model."

---

Please, for the Love of Zod, don't let your application be one of those weakened vectors.

- Matthew

For an example of getting started with one way hashing, along with using a salt value (highly recommended, scroll to the comments) see:

http://www.petefreita...

- Matthew

Great reminder Matt.

Jason Dean also goes into some pretty good detail on password security with ColdFusion ( including salting and encryption options ) at about 31 minutes and 20 seconds into this online CFUG security presentation: http://experts.na3.ac...