You cannot decrypt it. It''s a one-way hash. (*)
I would recommend doing something like this:
Make an action that will set a password change code string, using the
same methods that the activation code uses. This is a long,
unpredictable string to an attacker. This page will say something
like "Your password has been reset. Please check your email, and
follow the directions within it."
You then mail them a URL which uses this code, say
http://example.com/account/lost_password/1231d1ljkh1299u31n39d3d2092b2d
(the latter part is their unique reset code.) This action will ask
for their login name, a new password, and the verification of that
password. If everything matches, you reset their password (and be
nice and mail them that it was reset.)
This way you never store the clear-text version of their password, and
they can continue to do bad things like use the same password for
their banking accounts. :)
(*) OK, so you COULD brute-force it, or do some sort of dictionary
attack on it. But why would you want to do this? Storing the hashed
password means that if your database is exposed people cannot just use
the passwords in it to log into any account.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---