In the following code there is a comparison of the password stored in the database with the password entered by the user. Since the salt is created by appending a random number, how come it matches with what is stored in the database? def self.authenticate(name, password) user = self.find_by_name(name) if user expected_password = encrypted_password(password, user.salt) if user.hashed_password != expected_password user = nil end end user create_new_salt self.hashed_password = User.encrypted_password(self.password, self.salt) end private def self.encrypted_password(password, salt) string_to_hash = password + "wibble" + salt # ''wibble'' makes it harder to guess Digest::SHA1.hexdigest(string_to_hash) end def create_new_salt self.salt = self.object_id.to_s + rand.to_s end end TIA. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On Sat, 14 Oct 2006 18:39:16 -0700 (PDT), Bala Paranj wrote:> In the following code there is a comparison of the password stored in the database with the > password entered by the user. Since the salt is created by appending a random number, how come it > matches with what is stored in the database?The salt''s created only the first time it''s needed; after that, it''s always the same (note that it''s stored in the user''s record). So it''s "random" to anyone trying a dictionary attack, but perfectly deterministic to your application. Jay Levitt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On Oct 14, 2006, at 8:39 PM, Bala Paranj wrote:> > In the following code there is a comparison of the password stored > in the database with the > password entered by the user. Since the salt is created by > appending a random number, how come it > matches with what is stored in the database?The salt is stored in the user record when it is created. Cheers Dave --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Bala Paranj wrote:> In the following code there is a comparison of the password stored in > the database with the > password entered by the user. Since the salt is created by appending a > random number, how come it > matches with what is stored in the database? > > def self.authenticate(name, password) > user = self.find_by_name(name) > if user > expected_password = encrypted_password(password, user.salt) > if user.hashed_password != expected_password > user = nil > end > end > user > > create_new_salt > self.hashed_password = User.encrypted_password(self.password, self.salt) > end > private > def self.encrypted_password(password, salt) > string_to_hash = password + "wibble" + salt # ''wibble'' makes it harder > to guess > Digest::SHA1.hexdigest(string_to_hash) > end > def create_new_salt > self.salt = self.object_id.to_s + rand.to_s > end > end > > TIA.You can be more secure. Store in the database encrypted salt def create_new_salt self.salt = Digest::SHA1.hexdigest(self.object_id.to_s + rand.to_s) end and even more - do the same whith password before concatenate it with salt. and even more - use Digest::SHA1.hexdigest for password and salt and Digest::SHA256.hexdigest for hashed_password ( require ''digest/sha2'') -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---