verifySCryptHash

This function compares a plaintext entry to the hashed string.
NOTE 1:Hashing is one-way, so you can't "decrypt" a hashed value. You have to hash the value you want to check and then compare that to the saved hash.

verifySCryptHash(plaintext,hashedstring); → returns boolean

This function requires Adobe ColdFusion 2021 and up. Not supported on Lucee, etc.

Argument Reference

plaintext string
Required

The unhashed string to compare.

hashedString string
Required

The hashed string to compare.

options struct
Default: `{"memorycost":8,"CpuCost":16348,"Parallel":1,"KeyLength":32,"saltLength":8}`

A struct containing the optional values:
--memorycost - Default is 8.
--CpuCost - CPU cost of the algorithm (as defined in scrypt, this is N) that must be a power of 2 and greater than 1. Default is currently 16,348 or 2^14.
--Parallel - the parallelization of the algorithm (as defined in scrypt, this is P). Default is currently 1.
--Keylength - key length for the algorithm (as defined in scrypt, this is dkLen). Default is currently 32.
--saltLength - length of the salt to use. Default is 8.

Links more information about verifySCryptHash

OWASP Password Storage Cheat Sheet - General advice from OWASP about how to work with passwords.
Using Password4j And The BCrypt, SCrypt, And Argon2 Password Hashing Algorithms In Lucee CFML 5.3.7.47 - Blog by Ben Nadel about using hashing algorithms.
Best practices for password hashing and storage - IETF info on password hashing best practices.
Hashing Passwords: One-Way Road to Security - Blog by Dan Arias on password hashing strategies.
scrypt - Wikipedia article about SCrypt.
CFPASSPhrase - Related project to help other engines utilize hashing functions.

Examples
Sample code invoking the verifySCryptHash function

Example of Verifying the SCrypt Hash

This is an example of using the function to check against a hashed value.

secretMsg="$e0801$21aGCy86deU=$Yp2UaxwONLNgp0kUaBwuXAqsnFaAjOAUislNejW6Bjs=";
checkMe="My voice is my passport. Verify me."
writeOutput(verifySCryptHash(checkMe,secretMsg);

Expected Result: YES

Example of Verifying the SCrypt Hash With Options Set On Hash

This is an example of using the function to check against a hashed value when the options were previously set.

secretMsg="$c0401$Eg7sS/HsxhHTWA==$sejraZ7kZZ82adEz8uHHUz51Hk36YkkJ4KZk3w==";
checkMe="Setec Astronomy"
writeOutput(verifySCryptHash(checkMe,secretMsg);

Expected Result: YES

Signup for cfbreak to stay updated on the latest news from the ColdFusion / CFML community. One email, every friday.

Fork me on GitHub

verifySCryptHash

Argument Reference

plaintext string Required

hashedString string Required

options struct Default: {"memorycost":8,"CpuCost":16348,"Parallel":1,"KeyLength":32,"saltLength":8}