Menu
I'm having a weird security-related problem, lately I've been getting regular but intermittent errors when trying to insert hashed passwords in a SQL Server database field that's nvarchar(130):
<cfqueryparam value="#hashpass#" cfsqltype="cf_sql_char" maxLength="130">
The hashpass variable is set thus:
<cfset hashpass = Hash(arguments.password & getsalt.user_salt, "SHA-512")>
Wondering how it's possible for a SHA-512 hash to be longer than 128 characters, when the documentation says it should always be 128 exactly? Here's the ColdFusion 10 error:
[Macromedia][SQLServer JDBC Driver][SQLServer]String or binary data would be truncated.
798
A hash has always a fixed length of for example 12 characters (depending on the hash algorithm you use). So a 20 char password would be reduced to a 12 char hash, and a 4 char password would also yield a 12 char hash.
ASVS states that passwords should be at most 128 characters. This originates from the idea that longer passwords take longer to hash, which can lead to a denial of service when an attacker performs login attempts with very long passwords. However, this is not generally true.
Hashing turns your password (or any other piece of data) into a short string of letters and/or numbers using an encryption algorithm. If a website is hacked, cyber criminals don't get access to your password. Instead, they just get access to the encrypted “hash” created by your password.
bcrypt has a maximum length input length of 72 bytes for most implementations. To protect against this issue, a maximum password length of 72 bytes (or less if the implementation in use has smaller limits) should be enforced when using bcrypt.
It seems from your error that the issue is at a database level, as ColdFusion is not failing your maxlength check on the cfqueryparam tag and is allowing the query to be executed. I just tested trying to pass a string that exceeds the length specified in the maxlength attribute (on CF10) and get the error:
The cause of this output exception was that:
coldfusion.tagext.sql.QueryParamTag$InvalidDataException:
Invalid data value this-is-a-string-that-is-too-long exceeds maxlength setting 10..`
As Adam Cameron mentioned in the comments to the question, it seems likely that it is a different field in your query that is throwing the error.
As the hashed password will be 128 chars long - is there a reason why you are validating 130 chars?
86
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
