How does one retrive an encryped password generated with the Salted Login Generator? Thanks, Nick _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Am 25.11.2005 um 23:29 schrieb Nicholas Van Weerdenburg:> How does one retrive an encryped password generated with the Salted > Login Generator?The whole idea of encrypting a password with MD5 or crypt (which SLG uses) is that the password is hard - if not impossible - do decrypt. There is "no way" of retrieving a password. This secures passwords against stealing a user database, for example. The only way you can allow users to log in again is to generate a new password and send it to the email adress they specified on registration. Regards Manuel Holtgrewe
The SLG puts the hashed password in the ''salted_password'' member of the User model that was generated. If you want to get the original password text: you can''t. The password is hashed (not encrypted), and that is not reversible to extract the original password. If your user forgets their password, all you can do is let them set a new one, and the SLG has a bunch of code to send a ''security token'' to the user that is, in effect, a temporary password that expires fairly quickly. ________________________________ From: Nicholas Van Weerdenburg [mailto:vanweerd-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org] Sent: Friday, November 25, 2005 2:30 PM To: rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org Subject: [Rails] Retrieving SHG Password How does one retrive an encryped password generated with the Salted Login Generator? Thanks, Nick _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
I thought it might be something like that. Anyone have recommendations for something that is retrievable? Maybe something with a private key that an admin keeps seperate from the application? Thanks, Nick On 11/25/05, Manuel Holtgrewe <purestorm-nlpEiS6K5uusTnJN9+BGXg@public.gmane.org> wrote:> > > Am 25.11.2005 um 23:29 schrieb Nicholas Van Weerdenburg: > > > How does one retrive an encryped password generated with the Salted > > Login Generator? > > The whole idea of encrypting a password with MD5 or crypt (which SLG > uses) is that the password is hard - if not impossible - do decrypt. > There is "no way" of retrieving a password. > > This secures passwords against stealing a user database, for example. > The only way you can allow users to log in again is to generate a new > password and send it to the email adress they specified on registration. > > Regards > > Manuel Holtgrewe > > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- Nicholas Van Weerdenburg _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
I prefer using the "generate a new password and email it" option
mentioned below because it''s much more secure.
Here''s some code I found to generate a random password... I''m
using this
in my apps
# create a new password.
def newpass( len )
chars = ("a".."z").to_a +
("A".."Z").to_a + ("0".."9").to_a
newpass = ""
1.upto(len) { |i| newpass << chars[rand(chars.size-1)] }
return newpass
end
On 11/25/05, Manuel Holtgrewe
<purestorm-nlpEiS6K5uusTnJN9+BGXg@public.gmane.org> wrote:
Am 25.11.2005 um 23:29 schrieb Nicholas Van Weerdenburg:
> How does one retrive an encryped password generated with the
Salted
> Login Generator?
The whole idea of encrypting a password with MD5 or crypt (which
SLG
uses) is that the password is hard - if not impossible - do
decrypt.
There is "no way" of retrieving a password.
This secures passwords against stealing a user database, for
example.
The only way you can allow users to log in again is to generate
a new
password and send it to the email adress they specified on
registration.
Regards
Manuel Holtgrewe
_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails
--
Nicholas Van Weerdenburg
_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails
This would be completely custom work. Best practice for password security is to use the hash and provide a reset mechanism for the user. This way, the only person with access is the user with the password. Even an Admin user can''t gain access without someone noticing (they have to perform a password reset to get a new password, and the user will notice this) Encryption can be used, but this adds complexity: The private key must be kept secure. If the admin uses the private key to get a user''s password, how can you tell? If the key gets compromised, how do you change the key? Hashing is inherently more secure, and is less complex to administer, which is why it is the preferred method. ________________________________ From: Nicholas Van Weerdenburg [mailto:vanweerd-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org] Sent: Saturday, November 26, 2005 8:35 AM To: rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org Subject: Re: [Rails] Retrieving SHG Password I thought it might be something like that. Anyone have recommendations for something that is retrievable? Maybe something with a private key that an admin keeps seperate from the application? Thanks, Nick On 11/25/05, Manuel Holtgrewe <purestorm-nlpEiS6K5uusTnJN9+BGXg@public.gmane.org> wrote: Am 25.11.2005 um 23:29 schrieb Nicholas Van Weerdenburg:> How does one retrive an encryped password generated with the Salted > Login Generator?The whole idea of encrypting a password with MD5 or crypt (which SLG uses) is that the password is hard - if not impossible - do decrypt. There is "no way" of retrieving a password. This secures passwords against stealing a user database, for example. The only way you can allow users to log in again is to generate a new password and send it to the email adress they specified on registration. Regards Manuel Holtgrewe _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails -- Nicholas Van Weerdenburg _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails