1

I am using the following code to encrypt user password.

<cfset "EncryptedNewPass" = Encrypt(#HTMLCodeFormat(NewPass)#, Request.PasswordKey)>

Then compare it to the value stored in the database and it works fine. However, if i get the value from the database and use decrypt as follows

<cfset DecryptedPass = Decrypt(#getOrigPassFP.pass#, Request.PasswordKey)>

and do cfout, the value is wrapped with <pre> </pre> tag. The issue that I am having is since we also use the password to open a PDF document, it is throwing an error. I tried using replace to strip the tag but when it is displayed or passed to a variable, it still contains the <pre> tag.

duncan
  • 31,401
  • 13
  • 78
  • 99
Balcha Aba Nebso
  • 43
  • 1
  • 1
  • 5
  • 3
    You don't need the " " around EncryptedNewPass. You don't need the # # in your statements – duncan Sep 17 '13 at 17:06
  • 1
    As per Duncan's comment, I recommend you read this: http://cfmlblog.adamcameron.me/2013/09/when-to-use-pound-signs.html – Adam Cameron Sep 17 '13 at 17:12
  • 4
    **WARNING** - When using the `Encrypt()` function without specifying the algorithm to use it defaults to `CFMX_COMPAT`. From Adobe's own docs "_This algorithm is the least secure option (default)_". [Link to docs on Encrypt](http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=functions_e-g_01.html) – Miguel-F Sep 17 '13 at 17:34
  • Yeah, do not use `CFMX_COMPAT` for anything. It is almost like no encryption at all. – Leigh Sep 17 '13 at 17:41
  • And actually with passwords I'd not be *encrypting* them, I'd be hashing them. – Adam Cameron Sep 17 '13 at 17:55
  • 1
    Definitely don't use CFMX_COMPAT. Or MD5. Do like Adam says and hash them. And salt them. Securely storing passwords can be a pretty big topic, but there's a lot of info out there on how to do it. SHA-256 is good. Use the highest algorithm you need to. The larger the algorithm, the harder it is do break. But the more time it will take to legitimately compute. https://crackstation.net/hashing-security.htm Has some good info about hashing and salting passwords. – Shawn Sep 17 '13 at 18:15
  • And there's a good answer on SO that explains the difference between encryption and hashing and when you should use one over the other. http://stackoverflow.com/questions/4948322/fundamental-difference-between-hashing-and-encryption-algorithms – Shawn Sep 17 '13 at 18:27
  • Yes, normally you would want to hash. But it sounds like he needs a plain text password to open the pdf, in which case hashing is out. – Leigh Sep 17 '13 at 20:08
  • Just for now, is there any way I can remove the 
     and
    tag?     – Balcha Aba Nebso Sep 18 '13 at 17:44
  • Did you read Adam's response? Stop wrapping the input in `HTMLCodeFormat()` and you won't have this problem. For existing values, you will have to decrypt them - remove the `pre` tags - and re-encrypt (hopefully with a *real* encryption algorithm ;). – Leigh Sep 18 '13 at 21:51
  • I understand what you are saying but my issue is how do I remove the pre tags once it is decrypted before encrypting it back? – Balcha Aba Nebso Sep 19 '13 at 15:33

2 Answers2

9

You are putting the <pre> tags in there yourself!! What do you think HTMLCodeFormat() does??!

Adam Cameron
  • 29,677
  • 4
  • 37
  • 78
  • Is there any way to remove the 
     tags or convert it to plain text to allow me use the password? Please help.
     – Balcha Aba Nebso Sep 18 '13 at 20:01
  • Did you read the docs for htmlCodeFormat() that I linked to? You are *specifically* adding the PRE tags by using that function. That's what that function *does*. If you don't want that: don't blimin' use it! – Adam Cameron Sep 18 '13 at 22:26
  • I did read the link. Going forward, I will remove the formatting but how can I remove the existing ones with the pre tag. As Leigh suggested, I can decrypt the existing ones then remove the pre tag and then encrypt back. But I am at a loss on how to remove the pre tag. Any help is really appreciated. – Balcha Aba Nebso Sep 19 '13 at 15:37
2

From the comments: I understand what you are saying but my issue is how do I remove the pre tags once it is decrypted before encrypting it back?

The following code is one example of how to remove the <PRE> and </PRE> tags from your decrypted values. (I am outputting all of the values so you can follow along when you execute this code.)

<cfset NewPass = "this_is_the_password">
<cfset PasswordKey = "this_is_the_really_weak_key">
<cfset EncryptedNewPass = Encrypt(HTMLCodeFormat(NewPass), PasswordKey)>
<cfset DecryptedPass = Decrypt(EncryptedNewPass, PasswordKey)>
<cfoutput>
<p>NewPass = #NewPass#</p>
<p>PasswordKey = #PasswordKey#</p>
<p>EncryptedNewPass = #EncryptedNewPass#</p>
<p>DecryptedPass = #HTMLEditFormat(DecryptedPass)#</p>
<cfif Left(DecryptedPass,5) EQ "<PRE>">
    <cfset DecryptedPass = Right(DecryptedPass,(Len(DecryptedPass)-5))>
    <p>Found and removed &lt;PRE&gt; tag = #HTMLEditFormat(DecryptedPass)#</p>
</cfif>
<cfif Right(DecryptedPass,6) EQ "</PRE>">
    <cfset DecryptedPass = Left(DecryptedPass,(Len(DecryptedPass)-6))>
    <p>Found and removed &lt;/PRE&gt; tag = #HTMLEditFormat(DecryptedPass)#</p>
</cfif>
</cfoutput>

Looking at that code, this block will remove the <PRE> from the beginning of the string:

<cfif Left(DecryptedPass,5) EQ "<PRE>">
    <cfset DecryptedPass = Right(DecryptedPass,(Len(DecryptedPass)-5))>
    <p>Found and removed &lt;PRE&gt; tag = #HTMLEditFormat(DecryptedPass)#</p>
</cfif>

And this block will remove the </PRE> from the end of the string:

<cfif Right(DecryptedPass,6) EQ "</PRE>">
    <cfset DecryptedPass = Left(DecryptedPass,(Len(DecryptedPass)-6))>
    <p>Found and removed &lt;/PRE&gt; tag = #HTMLEditFormat(DecryptedPass)#</p>
</cfif>

I only used HTMLEditFormat() to output the values for you to see in the browser. Do NOT use these functions when encrypting or decrypting your values.

You also need to be aware that the HTMLCodeFormat() function does more than just wrap the given string in <PRE> tags. That function also changes the characters: <, >, &, and " to their HTML character entity equivalent. If any of your users used those characters in their password then your decryption of them will fail (will not be equal to their actual password).

This function converts the following characters to HTML character entities:

Text character    Encoding
    <               &lt;
    >               &gt;
    &               &amp;
    "               &quot;
Miguel-F
  • 13,450
  • 6
  • 38
  • 63
  • *Do NOT use these functions when encrypting or decrypting your values.* Yep, generally you want to avoid monkeying around with encrypted/pre-encrypted values in any way, because even a single space can make a big difference. – Leigh Sep 20 '13 at 01:48