Is it possible to somehow send an email containing the user password if it is stored as a md5 hash in the database? Is it stupid to save the passwords as clear text strings in the db? Its a web shop. A workaround would be to generate a new password and send it to the user. If the user then want to, he may change to another password. Any other thoughts on this? //D -- Posted via http://www.ruby-forum.com/.
Adrian
2006-Jun-04 20:27 UTC
[Rails] Re: hashed password, send reminder email...impossible?
Daniel wrote:> Is it possible to somehow send an email containing the user password if > it is stored as a md5 hash in the database? > > Is it stupid to save the passwords as clear text strings in the db? Its > a web shop. > > A workaround would be to generate a new password and send it to the > user. If the user then want to, he may change to another password. > > Any other thoughts on this? > > //DI''d certainly go with generating a new password to send them - they can always change it when they log-in. Don''t save your passwords in plain text. -- Posted via http://www.ruby-forum.com/.
Kevin Olbrich
2006-Jun-04 20:39 UTC
[Rails] hashed password, send reminder email...impossible?
On Sunday, June 04, 2006, at 10:22 PM, Daniel wrote:>Is it possible to somehow send an email containing the user password if >it is stored as a md5 hash in the database? > >Is it stupid to save the passwords as clear text strings in the db? Its >a web shop. > >A workaround would be to generate a new password and send it to the >user. If the user then want to, he may change to another password. > >Any other thoughts on this? > >//D > >-- >Posted via http://www.ruby-forum.com/. >_______________________________________________ >Rails mailing list >Rails@lists.rubyonrails.org >http://lists.rubyonrails.org/mailman/listinfo/railsYou can''t get the password back once it''s been hashed. I''d go for your second choice here. _Kevin -- Posted with http://DevLists.com. Sign up and save your mailbox.
njmacinnes@gmail.com
2006-Jun-04 21:39 UTC
[Rails] hashed password, send reminder email...impossible?
This is quite important even if it''s for something where security doesn''t really matter, because many people choose the same password for everything. I always cringe when I receive my password (a randomly generated sequence of 9 alpha-numerics) in an email. -Nathan On 4 Jun 2006 20:39:58 -0000, Kevin Olbrich <devlists-rubyonrails@devlists.com> wrote:> > On Sunday, June 04, 2006, at 10:22 PM, Daniel wrote: > >Is it possible to somehow send an email containing the user password if > >it is stored as a md5 hash in the database? > > > >Is it stupid to save the passwords as clear text strings in the db? Its > >a web shop. > > > >A workaround would be to generate a new password and send it to the > >user. If the user then want to, he may change to another password. > > > >Any other thoughts on this? > > > >//D > > > >-- > >Posted via http://www.ruby-forum.com/. > >_______________________________________________ > >Rails mailing list > >Rails@lists.rubyonrails.org > >http://lists.rubyonrails.org/mailman/listinfo/rails > > You can''t get the password back once it''s been hashed. > I''d go for your second choice here. > > _Kevin > > -- > Posted with http://DevLists.com. Sign up and save your mailbox. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
Calle Dybedahl
2006-Jun-05 07:13 UTC
[Rails] hashed password, send reminder email...impossible?
>>>>> "Daniel" == Daniel <big@chello.se> writes:> Is it possible to somehow send an email containing the user password if > it is stored as a md5 hash in the database?No. That it''s impossible is the entire point of the hashing.> Is it stupid to save the passwords as clear text strings in the db? > Its a web shop.It is very bad security practice. If you do that, everybody who gets access to your database (legitimately or not) can trivially pretend to be any customer they like.> A workaround would be to generate a new password and send it to the > user. If the user then want to, he may change to another password.This is the right way of doing it. To up the security another notch, force the user to change their password the first time they log in with the mailed-out one (mail is not a secure distribution path). -- Calle Dybedahl <calle@cyberpomo.com> http://www.livejournal.com/users/cdybedahl/ "Women. They don''t even make sense when you are one." -- babycola
Steve Madsen
2006-Jun-05 23:47 UTC
[Rails] Re: hashed password, send reminder email...impossible?
Calle Dybedahl wrote:>> A workaround would be to generate a new password and send it to the >> user. If the user then want to, he may change to another password. > > This is the right way of doing it. To up the security another notch, > force the user to change their password the first time they log in > with the mailed-out one (mail is not a secure distribution path).I''d avoid changing the password at all until you have some assurance that the reset request is legitimate. Consider the scenario where someone comes along, tries to log in as you, clicks "I forgot my password". Now your password is changed and you can''t log in until you go dig into your email to discover that you need to use something different. Let''s hope that email isn''t lost to an overzealous spam filter. I''ve solved this problem in the past by using a separate column in my users table where I generate some unguessable token, then email a link to the user at their email address of record. The link contains the token, and if it matches what I have in the DB, I let them change their password. Also remember that storing a simple hash of the password is less than ideal, too. An attacker that gets your database only has to generate hashes for his large dictionary of passwords, then compare this to your DB. Adding salts (a few characters of randomness) and then MD5''ing salt+password defeats this attack. -- Posted via http://www.ruby-forum.com/.
Anatoly Mikhailov
2009-Jan-08 08:18 UTC
Re: hashed password, send reminder email...impossible?
You can send an e-mail with password reset link. I use follow code for send uncrypted password, after that system will encrypt the password http://www.railsgeek.com/2009/1/6/generate-random-password-in-rails -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Frederick Cheung
2009-Jan-08 09:25 UTC
Re: hashed password, send reminder email...impossible?
On Jan 8, 8:18 am, Anatoly Mikhailov <rails-mailing-l...@andreas- s.net> wrote:> You can send an e-mail with password reset link. > I use follow code for send uncrypted password, after that system will > encrypt the passwordhttp://www.railsgeek.com/2009/1/6/generate-random-password-in-railsIf you''re asking whether you can retrieve the password to send it to forgetful users, the answer is no you can''t. Fred> -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
sure, you can''t send the forgotten password. So, more secure way is to store hashed password instead uncrypted one. I usually send a password''s reset link via e-mail. I just publish an article with using before_on_create callback, because is more useful way, which declare principe: Skinny controllers, fat models. On 8 янв, 15:25, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On Jan 8, 8:18 am, Anatoly Mikhailov <rails-mailing-l...@andreas- > > s.net> wrote: > > You can send an e-mail with password reset link. > > I use follow code for send uncrypted password, after that system will > > encrypt the passwordhttp://www.railsgeek.com/2009/1/6/generate-random-password-in-rails > > If you''re asking whether you can retrieve the password to send it to > forgetful users, the answer is no you can''t. > > Fred > > > -- > > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---