This would be completely custom work. Best practice for password security is to use the hash and provide a reset mechanism for the user. This way, the only person with access is the user with the password. Even an Admin user can't gain access without someone noticing (they have to perform a password reset to get a new password, and the user will notice this) Encryption can be used, but this adds complexity: The private key must be kept secure. If the admin uses the private key to get a user's password, how can you tell? If the key gets compromised, how do you change the key? Hashing is inherently more secure, and is less complex to administer, which is why it is the preferred method. ________________________________ From: Nicholas Van W. [mailto:firstname.lastname@example.org] Sent: Saturday, November 26, 2005 8:35 AM To: email@example.com Subject: Re: [Rails] Retrieving SHG Password I thought it might be something like that. Anyone have recommendations for something that is retrievable? Maybe something with a private key that an admin keeps seperate from the application? Thanks, Nick On 11/25/05, Manuel H. <firstname.lastname@example.org> wrote: Am 25.11.2005 um 23:29 schrieb Nicholas Van W.: > How does one retrive an encryped password generated with the Salted > Login Generator? The whole idea of encrypting a password with MD5 or crypt (which SLG uses) is that the password is hard - if not impossible - do decrypt. There is "no way" of retrieving a password. This secures passwords against stealing a user database, for example. The only way you can allow users to log in again is to generate a new password and send it to the email adress they specified on registration. Regards Manuel H.
on 2005-11-27 00:41