ColdFusion Securely Storing Passwords
Consider the following code that implements a simple login.
<cfquery name="user" datasource="#request.dns#">
select * from users
where name = '#form.login#' and password = '#form.password#'
</cfquery>
// if login failed go back to login page
<cfif user.recordcount is 0>
<cflocation url="login.cfm">
</cfif>
select * from users
where name = '#form.login#' and password = '#form.password#'
</cfquery>
// if login failed go back to login page
<cfif user.recordcount is 0>
<cflocation url="login.cfm">
</cfif>
One of the issues with this is that the password is stored in the database as plain text. Anything with access to the database (including your ColdFusion application) could possibly be used to get a list of all users and their passwords.
