Shaun Mccran

My digital playground

23
J
A
N
2011

The Coldfusion Hash() function decoded - kind of

Posted By : Shaun McCran
Related Categories: Security, Coldfusion, Best practices

I've always believed that using the hash() function in ColdFusion is a one way process. If I wanted to reverse a string I had to use encode() and decode(). The Adobe documentation states that "It is not possible to convert the hash result back to the source string" - Adobe Docs for Hash().

Strictly speaking this is still true, but some bright spark has decided to host an MD5 string database and provide a lookup service.

The Hash() function has been around for a long time, in pre ColdFusion 7 versions of it you could not specify an algorithm, so you could only encode to MD5 standards.

In most cases the algorithm did not really matter too much. Most developers would have used hash() to store a password and perform real time character checks against the database values when a user submits a password string.

view plain print about
1Hash(string [, algorithm [, encoding ]])
2
3<cfset variables.encodedValue = hash('myPassword')>
4
5<cfoutput>#variables.encodedValue#</cfoutput>
6
7Results in:
8DEB1536F480475F7D593219AA1AFD74C

You could 'in-effect' never actually get a password back again, only perform a check against it using other hash()-ed strings.

The site http://www.md5decrypter.com/ appears to be hosting a database containing '8,076,999 unique MD5 hashes'. I've tested over a dozen random strings and they have all been successfully returned from their search.

It is probably more of a legacy application issue, but it is definitely worth noting that you really should specify an algorithm type when using the hash() function now.

This really makes a good case for revisiting those 'old' applications that never get a budget for bringing up-to-date.

Comments Comments (38) | Send Send | del.ico.us del.icio.us | Digg It! Digg It! | Linking Blogs Linking Blogs |
Answer Questions
TweetBacks
Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
[Add Comment] [Subscribe to Comments]
Justin Carter's Gravatar Technically you could do a lookup of any "one way" hash against a dictionary of hashes, regardless of the algorithm used (or seed). The main point definitely is to provide a *strong* seed to the hashing algorithm - someone could have a dictionary for lots of algorithm / seed combinations :P
# Posted By Justin Carter | 23/01/2011 23:28
Shaun McCran's Gravatar @Justin, yes you could have a dictionary of hashed values for almost any algorithm,

Looking at the statistics though the more complex algorithms would need exponentially more records as they are many times more complex. This is even more evident if you compare the length of the same string encoded with MD5 and any one of the SHA algorithms.
# Posted By Shaun McCran | 23/01/2011 23:39
Ron Stewart's Gravatar This is also why "salting" the string being hashed -- possibly with non-printable characters -- is also pretty important...
# Posted By Ron Stewart | 23/01/2011 23:47
Jonah Chanticleer's Gravatar Glad to see I'm not the only person fixated on this topic. Great minds think alike, Shaun, eh? http://www.jonahchanticleer.com/post.cfm/md5-hashe... ;)

Joking aside, I wanted to thank you for the thought provoking tweet. It gave me incentive to do more writing than I have in a while.
# Posted By Jonah Chanticleer | 24/01/2011 01:00
Shaun McCran's Gravatar @Jonah,

Glad I've re-ignited an interest :-)

@Ron, good point, any custom manipulation will greatly have an impact on the security of the data. Unless your manipulation device is unsecure, then you've just given the key to the vault away.
# Posted By Shaun McCran | 24/01/2011 09:41
Peter Boughton's Gravatar The "correct" way to do password IS salted hashes.

Every user has a random salt calculated which is mixed with their password before hashing, ensuring that someone who gains access to the database cannot simply do a hash lookup to obtain a password.

Here's an article that starts with over-simple plain text passwords, then takes steps to explain why salt makes sense, and how to be most secure:
http://www.developerfusion.com/article/4679/you-wa...
# Posted By Peter Boughton | 24/01/2011 10:12
John Whish's Gravatar MD5 is weak, you're much better off using one of the SHA algorithms. Jason Dean has an excellent security series on his blog http://www.12robots.com/
# Posted By John Whish | 24/01/2011 14:03
Dominic Watson's Gravatar That hosted rainbow table lookup could be a great way to *test* your hashing methods (using salting, of course). You could even use it in a password strength tester! Api wrapper on Riaforge anyone?
# Posted By Dominic Watson | 24/01/2011 19:51
Dominic Watson's Gravatar Oh, only just now visited the site and seen that it is not an api (publicly at any rate). Still, there must be something out there...
# Posted By Dominic Watson | 24/01/2011 19:54
Shaun McCran's Gravatar @John, yes MD5 is undoubtedly the weakest of the algorithms in the hash() function. If you are using ColdFusion server 7+ I'd definitely use a stronger encryption method.

@Dominic, interesting idea. I wouldn't be surprised if it was possible to do that, or perhaps they even have an API they just haven't exposed.
# Posted By Shaun McCran | 24/01/2011 21:32
Jonah C's Gravatar Made a discovery today while doing research for a project that made me feel a little foolish. Turns out US-CERT has specifically warned software developers, website owners, certificate authorities and end users to avoid MD5 (http://www.kb.cert.org/vuls/id/836068). SHA-2 seems to be the Federal Government agency standard for all new applications. Consider me officially schooled. :)
# Posted By Jonah C | 11/05/2011 15:35
Shaun's Gravatar Thats an interesting article, thanks for the link :-)

Good to see there is an official GVMT standard.
# Posted By Shaun | 14/05/2011 22:08
breast enlargement's Gravatar Every user has a random salt calculated which is mixed with their password before hashing, ensuring that someone who gains access to the database cannot simply do a hash lookup to obtain a password.
# Posted By breast enlargement | 03/10/2015 07:03
fiverr blog commenting's Gravatar 'old' applications that never get a budget for bringing up-to-date.
# Posted By fiverr blog commenting | 23/11/2015 02:08
Heating And Plumbing's Gravatar in pre ColdFusion 7 versions of it you could not specify an algorithm, so you could only encode to MD5 standards.
# Posted By Heating And Plumbing | 23/11/2015 03:42
home's Gravatar In most cases the algorithm did not really matter too much. Most developers would have used hash() to store a password and perform real time character checks against the database values when a user submits a password string.
# Posted By home | 24/11/2015 01:14
venus factor reviews youtube's Gravatar In most cases the algorithm did not really matter too much. Most developers would have used hash() to store a password and perform real time character checks against the database values when a user submits a password string. ttps://www.youtube.com/watch?v=FUa52b-QbhY
# Posted By venus factor reviews youtube | 24/11/2015 03:09
Kelowna Siding Contractor's Gravatar A good rule of thumb, though, is every three to four hours but this will change slightly depending on how heavy your period is.
# Posted By Kelowna Siding Contractor | 26/11/2015 03:01
heart code acls's Gravatar Until young people are included in the European electorate, the views of those 16 and 17 year olds cannot truly be represented. To lower the voting age to 16 in European elections
# Posted By heart code acls | 28/11/2015 03:22
dofollow website's Gravatar but it is definitely worth noting that you really should specify an algorithm type when using the hash() function now.
# Posted By dofollow website | 03/12/2015 03:09
visit their website's Gravatar I just thought it may be an idea to post in case anyone else was having problems researching but I am a little unsure if I am allowed to put names and addresses on here.
# Posted By visit their website | 13/12/2015 22:20
cccam server's Gravatar I want you to thank for your time of this wonderful read!!! I definitely enjoy every little bit of it and I have you bookmarked to check out new stuff of your blog a must read blog....
# Posted By cccam server | 18/12/2015 23:48
Lawsuit for a Xarelto Pulmonary Embolism's Gravatar I'm able to bookmark your site and show the kids check out up here generally. I m fairly positive there likely to be informed a great deal of new stuff here than anyone.
# Posted By Lawsuit for a Xarelto Pulmonary Embolism | 19/12/2015 02:22
selling on amazon vs ebay's Gravatar Advies ombeurten het personeelsbeleid van een organisatie met een rapportcijfer waarderen Group en Jacco van den Berg van Van den Berg Training
# Posted By selling on amazon vs ebay | 21/12/2015 00:03
Become Medical's Gravatar Great Post This is also a very good post which I really enjoyed reading. It is not everyday that I have the possibility to see something like this..Thank You!
# Posted By Become Medical | 21/12/2015 02:43
lawyer free consultation's Gravatar I want you to thank for your time of this wonderful read!!! I definitely enjoy every little bit of it and I have you bookmarked to check out new stuff of your blog a must read blog....
# Posted By lawyer free consultation | 22/12/2015 04:11
tmj doctors's Gravatar Great Post This is also a very good post which I really enjoyed reading
# Posted By tmj doctors | 25/12/2015 14:15
student papers for sale's Gravatar Firstly create a CurrencyFormatter object, and specify the currency symbol, and any other formatting parameters that you require.
# Posted By student papers for sale | 26/12/2015 02:22
supreme garcinia cambogia's Gravatar mixed with their password before hashing, ensuring that someone who gains access to the database cannot simply do a hash lookup to obtain a password.
# Posted By supreme garcinia cambogia | 27/12/2015 05:38
home page's Gravatar I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well...
# Posted By home page | 27/12/2015 22:44
read here's Gravatar Good to become visiting your weblog again, it has been months for me. Nicely this article that i've been waited for so long.
# Posted By read here | 28/12/2015 02:01
read here's Gravatar Your site and show the kids check out up here generally. I m fairly positive there likely to be informed a great deal of new stuff here than anyone.
# Posted By read here | 29/12/2015 01:43
fit out sydney's Gravatar You will find a lot of approaches after visiting your post. I was exactly searching for. Thanks for such post and please keep it up....
# Posted By fit out sydney | 30/12/2015 01:45
taxi from delhi to jaipur's Gravatar I think this is an informative post and it is very useful and knowledgeable. therefore. I would like to thank you for the efforts you have made in writing this article....
# Posted By taxi from delhi to jaipur | 30/12/2015 07:56
home remedies for tinnitus's Gravatar I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well…
# Posted By home remedies for tinnitus | 30/12/2015 22:25
targeted traffic's Gravatar I’m now working with WordPress for a couple of with this blogs and forums nonetheless wanting to switch one of them over to your stand akin to you for a trial offer perform.
# Posted By targeted traffic | 04/01/2016 23:29
gurgaon to jaipur cab's Gravatar any custom manipulation will greatly have an impact on the security of the data. Unless your manipulation device is unsecure, then you've just given the key to the vault away.
# Posted By gurgaon to jaipur cab | 05/01/2016 02:23
selling on amazon fees's Gravatar I have feel that this blog is really have all those quality that qualify a blog to be a one.I wanted to leave a little comment to support you and wish you a good continuation.
# Posted By selling on amazon fees | 09/01/2016 01:03
[Add Comment]
Back to top
Subscribe
Enter your email address to subscribe to this blog.


Associated links