Encrypt and Decrypt problems

I’m trying to do some basic encryption for a password table in my database. I’m just testing the code right now before I commit. Here it is:


<cfscript>

$ = (str)=> echo("#str#<br>")

query datasource="XXXXXX" name="q" sql="

select username, pw from user

";

loop query="q"{

	key = generateSecretKey('AES');

	echo("Encrypted with ::>[ #key# ] - ")

	enc = encrypt(pw, key, 'AES')

	echo(enc & "<br><br>")

	dec = decrypt(enc, key, 'AES')

	echo("Decrypted with ::>[ #key# ] - #dec#<hr>")

}
 
</cfscript>

Here is the response that I get:

The decrypt function works on the first pass through of the looped query, without fail. Everything after that is a flop. I generate a new key on every pass thru and encrypt and decrypt with the same key. This is driving me bonkers.

Am I doing something incorrectly here, or is this an issue with Lucee?

OS: >>> macOS Ventura vs. 13.0.1
Java Version: ???
Tomcat Version: 9
Lucee Version: 5.3.9.166

Here seems works fine:

1 Like

Turns out the error I was having was my own stupidity. I was testing on a table that already encrypted data. The only one “working” was mine because thats the only one I had changed tp plain text. The others were working as well It’s just the decrypt function was spitting out the already encrypted files that I’d forgotten already had hashed PW’s in them.

2 Likes

Just a little note. I’m not a security expert at all, but from my understanding, it’s not good security practice to store decryptable passwords anywhere at all. Please, really consider changing that into a one way password hashing and also including salt and pepper into that.

There is a really wonderful blog post about this from @andrew that from my point of view should be a must read to any cfml developer who develops apps with accounts, passwords and logins:

No matter how unimportant or uncritical your app might be, please consider it and try to implementing it as hashing and not as reverse decryptical strings.

5 Likes

Please, also read the follow up post

1 Like

That’s been the reply that I got form a lot of people. Looks like I need to revamp my password recovery system to be more of a change your password instead.

3 Likes

Hey Andreas – Just wanted you to know that I’ve revamped my login & password recovery reset system to no longer hold encrypt/decrypt data.

1 Like

It’s funny - It always AFTER you post - and seems to be always AFTER someone else has "helped’… that you realise you were the problem… or it was spectacularly obvious…

I’m not saying I’m stupid… but…
Happens to me all the time!