Adam Tuttle

Using bCrypt in ColdFusion 10

What follows is an article originally written by John Whish, reproduced here with his permission. I'm re-posting it because his blog has since gone offline and I like linking to this information, including to in my book, REST Assured. I'm posting this from the future (2021! The hoverboards are everything we ever dreamed of and more! hover boards omg!) but back-dating the entry to match John's original post date.


As you may have seen on the twitterverse, it has been reported that 6.5 Million LinkedIn Password Hashes Leaked. There are several comments about using bCrypt (or sCrypt) to provide improved security and this reminded me that Marc Esher blogged about Hashing passwords with bcrypt in ColdFusion. Since Marc posted this, ColdFusion 10 has been released which has improved Java integration. so I thought I'd take his code and do it using ColdFusion 10 and here it is:

Application.cfc

component {
this.name = "bcrypt_in_cf10";
this.javaSettings = {
LoadPaths = ["/classfiles"]
};
}

I also needed to create a directory called "classfiles" and drop in the BCrypt.class script (which I downloaded from here)

bcrypttest.cfm

<cfscript>
bcrypt = CreateObject( "java", "BCrypt" );
WriteDump( bcrypt );

pw = "happy1.!gIlm0re";

startts = getTickCount();
hashed = bcrypt.hashpw(pw, bcrypt.gensalt());
writeoutput("created password '" & hashed & "' in " & getTickCount() - startts & " ms");

startts = getTickCount();
match = bcrypt.checkpw(pw, hashed);
writeoutput("checked pw match (#match#) in " & getTickCount() - startts & " ms");

startts = getTickCount();
hashed = bcrypt.hashpw(pw, bcrypt.gensalt(12));
writeoutput("created password '" & hashed & "' in " & getTickCount() - startts & " ms");

startts = getTickCount();
match = bcrypt.checkpw(pw, hashed);
writeoutput("checked password match (#match#) in " & getTickCount() - startts & " ms");

// just for giggles try an incorrect password

startts = getTickCount();
match = bcrypt.checkpw("5p1na1.Tap", hashed);
writeoutput("checked incorrect password match (#match#) in " & getTickCount() - startts & " ms");
</cfscript>

Pretty simple huh!

Never miss an article: Subscribe! I have RSS and JSON feeds available.

Or, if you prefer email, I do those too: