This might be a stupid question and if so then humor me with smart remark and the answer :) I want to have a feature on my site that allows me to email forgotten passwords back to the user (like what Backpack does). Now I''m currently encrypting the user''s password + salt before saving to the database using code borrowed from the LoginGenerator. The question I have is there any way to get the user''s password after if it''s been SHA1''ed or do I have store the user''s password as plain text in the database? If I have to store is plain text, isn''t that a bit insecure? And if so why does backpack (and I''m assuming others do it?) If I want to have the password encrypted in the database is my only option to change their password ot a new value? Thanks! -- Posted via http://www.ruby-forum.com/.
On Mon, Jan 09, 2006 at 02:12:21AM +0100, Gerry Shaw wrote:> This might be a stupid question and if so then humor me with smart > remark and the answer :) > > I want to have a feature on my site that allows me to email forgotten > passwords back to the user (like what Backpack does). Now I''m currently > encrypting the user''s password + salt before saving to the database > using code borrowed from the LoginGenerator. > > The question I have is there any way to get the user''s password after if > it''s been SHA1''ed or do I have store the user''s password as plain text > in the database? > > If I have to store is plain text, isn''t that a bit insecure? And if so > why does backpack (and I''m assuming others do it?) > > If I want to have the password encrypted in the database is my only > option to change their password ot a new value? > > Thanks! >Nope, you can''t un-SHA1 the password. The only way to send it back is to store it plain text (or use encryption, which is fairly pointless). It''s marginally less secure, if someone gets access to your database; at which point they''ve got all the data anyway. It''s a tradeoff of convenience for a slight decrease in security. -Scott
Thanks for the sanity check (and quick reply). Just checking to make sure I wasn''t missing anything obvious. -- Posted via http://www.ruby-forum.com/.
For security reasons I''ve always taken the approach of using an algorithm to generate a new strong password, change the user''s password, and then email that to the user. I think most users will appreciate the fact that you''ve created a new secure password for them. At least it gives them a feeling that their password is not out in the open. Michael Trier On 1/8/06, Scott Barron <scott@elitists.net> wrote:> > On Mon, Jan 09, 2006 at 02:12:21AM +0100, Gerry Shaw wrote: > > This might be a stupid question and if so then humor me with smart > > remark and the answer :) > > > > I want to have a feature on my site that allows me to email forgotten > > passwords back to the user (like what Backpack does). Now I''m currently > > encrypting the user''s password + salt before saving to the database > > using code borrowed from the LoginGenerator. > > > > The question I have is there any way to get the user''s password after if > > it''s been SHA1''ed or do I have store the user''s password as plain text > > in the database? > > > > If I have to store is plain text, isn''t that a bit insecure? And if so > > why does backpack (and I''m assuming others do it?) > > > > If I want to have the password encrypted in the database is my only > > option to change their password ot a new value? > > > > Thanks! > > > > Nope, you can''t un-SHA1 the password. The only way to send it back is > to store it plain text (or use encryption, which is fairly pointless). > It''s marginally less secure, if someone gets access to your database; at > which point they''ve got all the data anyway. It''s a tradeoff of > convenience for a slight decrease in security. > > -Scott > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060109/2a315d57/attachment.html
Seemingly Similar Threads
- BACKPACK: There was a problem processing your email
- LoginEngine vs. LoginGenerator?
- BACKPACK: There was a problem processing your email
- LoginGenerator problem after updating to FC5 and latest Rails
- Re: Questions about your Neuros (was: [faq?] Portable players supporting ogg vorbis)