Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Hashed password sometimes longer than 128 characters

Tags:

coldfusion

I'm having a weird security-related problem, lately I've been getting regular but intermittent errors when trying to insert hashed passwords in a SQL Server database field that's nvarchar(130):

<cfqueryparam value="#hashpass#" cfsqltype="cf_sql_char" maxLength="130">

The hashpass variable is set thus:

<cfset hashpass =  Hash(arguments.password & getsalt.user_salt, "SHA-512")>

Wondering how it's possible for a SHA-512 hash to be longer than 128 characters, when the documentation says it should always be 128 exactly? Here's the ColdFusion 10 error:

[Macromedia][SQLServer JDBC Driver][SQLServer]String or binary data would be truncated.

like image 798
Chris Avatar asked May 31 '15 20:05

Chris

People also ask

How long is hashed password?

A hash has always a fixed length of for example 12 characters (depending on the hash algorithm you use). So a 20 char password would be reduced to a 12 char hash, and a 4 char password would also yield a 12 char hash.

Do longer passwords have longer hashes?

ASVS states that passwords should be at most 128 characters. This originates from the idea that longer passwords take longer to hash, which can lead to a denial of service when an attacker performs login attempts with very long passwords. However, this is not generally true.

What is a hashed password?

Hashing turns your password (or any other piece of data) into a short string of letters and/or numbers using an encryption algorithm. If a website is hacked, cyber criminals don't get access to your password. Instead, they just get access to the encrypted “hash” created by your password.

How long is bcrypt hash?

bcrypt has a maximum length input length of 72 bytes for most implementations. To protect against this issue, a maximum password length of 72 bytes (or less if the implementation in use has smaller limits) should be enforced when using bcrypt.

1 Answers

It seems from your error that the issue is at a database level, as ColdFusion is not failing your maxlength check on the cfqueryparam tag and is allowing the query to be executed. I just tested trying to pass a string that exceeds the length specified in the maxlength attribute (on CF10) and get the error:

The cause of this output exception was that: 
coldfusion.tagext.sql.QueryParamTag$InvalidDataException: 
Invalid data value this-is-a-string-that-is-too-long exceeds maxlength setting 10..`

As Adam Cameron mentioned in the comments to the question, it seems likely that it is a different field in your query that is throwing the error.

As the hashed password will be 128 chars long - is there a reason why you are validating 130 chars?

like image 86
John Whish Avatar answered Oct 06 '22 10:10

John Whish
Sign in to Comment

Related questions

Passing an ArrayCollection from ColdFusion to Flex (with BlazeDS)
vim syntax highlighting of ColdFusion hash marks
How to configure ColdFusion's ORM for multiple session scope DSNs?
Refresh DNS in coldfusion 9
ColdFusion's Duplicate function won't copy metadata of a query
ColdFusion 10 Active Directory Authentication
ColdFusion/Java Class not found Exception
jQuery/CF database textarea Fill based on dates in database
Converting API call from PHP and cURL to ColdFusion cfhttp
Nested complex-type elements never get populated when calling AXIS-based web service from .NET
Disadvantages of J2EE session management in ColdFusion
Can't put file into ram with secure ftp
What would be a good Coldfusion-based bug tracking software?
SQL & ColdFusion Encryption
CFC extends sibling folder
Postgresql ColdFusion CFQuery Block
Quickbooks API reconnect issue
Send image generated from Canvas tag to CFDOCUMENT via AJAX
not implemented by SQLite JDBC driver
Sending High Volume of Emails with Coldfusion

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!