Craig Westmoreland wrote: > My passwords are one way encrypted, using a sha1 hexdigest so > currently users would only see a garbled string which is not their > password.
First to get some semantics out of the way: SHA1 is not an encryption it is a message digest (a.k.a. hash). The whole point if message digest is that it cannot (within reason) be reversed. You have two options: 1. Encrypt passwords using a encryption algorithm such as AES, DES, or Blowfish, so that you can reverse them. (NOT RECOMMENDED!). 2. Give the user temporary (one-time use) password and send them that. Keep track that the password is temporary and make them reset their password immediately after logging in. (This is the safest way I know of to implement password recovery). The reason #1 is not recommended is that you must store the keys used to perform the encryption somewhere on your server. If your database was compromised then it's highly likely that your server is compromised as well. A hacker would be able to find everything he needs to know to reverse all the passwords in the database. Secondly, as a developer you would also have the knowledge to reverse anyone's password. I personally get very upset if any web site is ever capable of telling me what my password is. I make every effort to avoid using sites that I know are capable of this. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
