Hello, I am having a little problem with Login Generator ... I installed it per the instructions, run to the signup page in anticipation of greatness, but ran into an exception! :-( What is being thrown is this: NoMethodError in Account#signup private method `gsub!'' called for Mon Apr 25 12:52:11 EDT 2005:Time app/controllers/account_controller.rb:22:in `signup'' script/server:48 I am trying to spot down this problem, but given my limited Ruby/Rails experience, I don''t see what is going on. Doing a little snooping around/commenting stuff out, it did produce an error where the "password_confirmation=" method in the user model did not exist. I am using Rails 0.11.0 and Login Generator 1. Thanks for helping. Brian
Brian, the password_confirmation= is created by the validates_confirmation_of :password method. I think the problem is in the SQL schema for the user table. Could you paste the schema here or try again with the verbatim schema from the README_LOGIN file?> app/controllers/account_controller.rb:22:in `signup'' > script/server:48 > > I am trying to spot down this problem, but given my limited Ruby/Rails > experience, I don''t see what is going on. Doing a little snooping > around/commenting stuff out, it did produce an error where the > "password_confirmation=" method in the user model did not exist. > > I am using Rails 0.11.0 and Login Generator 1. > > Thanks for helping. > > Brian > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- Tobi http://www.snowdevil.ca - Snowboards that don''t suck http://www.hieraki.org - Open source book authoring http://blog.leetsoft.com - Technical weblog
On Tue, 2005-04-26 at 12:03, Tobias Luetke wrote:> Brian, > > the password_confirmation= is created by the validates_confirmation_of > :password method. > > I think the problem is in the SQL schema for the user table. Could you > paste the schema here or try again with the verbatim schema from the > README_LOGIN file?Hello, Copying the schema verbatim from the readme worked. It was probably something of my doing that caused it. Thanks for the assistance. Brian
Hi,
A couple questions.
1) How do I decrypt the stored the password? I know how to access the
database value, just not how to convert it back. I''ve searched around
the
digest library, but it''s not obvious. (I''m implementing a
forgotten password
function and need to send the unencrypted password)
2) I''m having a problem where I''m writing the logins just
fine, but failing
on the authenticate. It seems to be a problem with confirming the password,
am I using the salt correctly?
Snippet...
@@salt = ''ahbnde532''
And then
def self.sha1(pass)
Digest::SHA1.hexdigest("#{salt}--#{pass}--")
End
I''m wondering if I missed the boat on understanding if this was the
correct
way to seed the password function. Am I supposed to change anything in the
self.sha1 method? Or is the salt supposed to be a certain # of Chars?
Thanks,
Joe
You don''t ever want to be able to decrypt a password (in fact there is nothing I cringe at more then websites that "offer" to send me my password if I forget it). That is one of the worse things from a security standpoint you can do. You should create a temp password for the user and send them that instead of trying to decrypt the existing one. On top of that - most digest libraries are one way and don''t allow for a decryption. You should normally just compare the entered digested password vs the stored digested password. John W Higgins wishdev-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org On 4/26/05, Joseph Lyons <JML-IW2WV5XWFqHk1uMJSBkQmQ@public.gmane.org> wrote:> Hi, > A couple questions. > > 1) How do I decrypt the stored the password? I know how to access the > database value, just not how to convert it back. I''ve searched around the > digest library, but it''s not obvious. (I''m implementing a forgotten password > function and need to send the unencrypted password) > > 2) I''m having a problem where I''m writing the logins just fine, but failing > on the authenticate. It seems to be a problem with confirming the password, > am I using the salt correctly? > Snippet... > @@salt = ''ahbnde532'' > > And then > > def self.sha1(pass) > Digest::SHA1.hexdigest("#{salt}--#{pass}--") > End > > I''m wondering if I missed the boat on understanding if this was the correct > way to seed the password function. Am I supposed to change anything in the > self.sha1 method? Or is the salt supposed to be a certain # of Chars? > > Thanks, > > Joe > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
On 26 Apr 2005, at 19:59, Joseph Lyons wrote:> 1) How do I decrypt the stored the password? I know how to access the > database value, just not how to convert it back. I''ve searched around > the > digest library, but it''s not obvious. (I''m implementing a forgotten > password > function and need to send the unencrypted password)You can''t. SHA1 is a one-way encryption algorithm - the idea is that no-one, not even the database administrator, can find out the user''s password. This is a Very Good Thing considering most users use the same password on multiple sites. For forgotten passwords, rather than implementing "send me my password" you need to send the user an email with a link which they can click to reset their password. Generate a random string (16 characters long or thereabouts should be fine) and record it in your user table somewhere. Send it to the user in a link like this: http://example.com/accounts/resetpassword?r=sjqhfixmxhqwodskdn3u That script checks the users table for the user with that "secret" string. If a user is found, it presents a form allowing the user to set a new password. Of course, this is only as secure as the user''s email account is but that''s true for any lost password functionality. Be sure to remove the secret string from the user table after they''ve reset their password - in fact for extra security you should probably remove it after 24 hours anyway. You don''t have to put this in the user table - to avoid snarling it up with extra fields, you might want to use a lostpasswordrequests table instead which records the secret string, the user id for which the password was requested and the time at which the request was received (and maybe the IP address that requested the lost password). Having a table like this also makes it easier to spot suspicious activity. Hope that helps, Simon Willions http://simon.incutio.com/
> 1) How do I decrypt the stored the password? I know how to access the > database value, just not how to convert it back. I''ve searched around the > digest library, but it''s not obvious. (I''m implementing a forgotten password > function and need to send the unencrypted password)SHA1 isn''t encryption, it''s a hash. A hash simply provides a result that can uniquely identify its input, but retains none of the input''s data. Simply put, if you know the input you can get the output, but if you only have the output you''re in for a really long wait while you bruty force it. As others have said, this is good for a website. Plus you really don''t want to send an unencrypted password via email, you never know who stores a copy. HTTP is harder to pick up, and if you''re really paranoid use HTTPS> 2) I''m having a problem where I''m writing the logins just fine, but failing > on the authenticate. It seems to be a problem with confirming the password, > am I using the salt correctly? > Snippet... > @@salt = ''ahbnde532'' > > And then > > def self.sha1(pass) > Digest::SHA1.hexdigest("#{salt}--#{pass}--") > End > > I''m wondering if I missed the boat on understanding if this was the correct > way to seed the password function. Am I supposed to change anything in the > self.sha1 method? Or is the salt supposed to be a certain # of Chars?No and no, it looks fine. Just make sure you never change the salt after you save the passwords, as the hash will change. Also, I''d put some capital letters and symbols in the salt, it makes it harder to brute force. -- Phillip Hutchings http://www.sitharus.com/ sitharus-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org / sitharus-QrR4M9swfipWk0Htik3J/w@public.gmane.org