Forum: Ruby on Rails RE: Retrieving SHG Password

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Tom (Guest)
on 2005-11-27 00:41
(Received via mailing list)
This would be completely custom work.  Best practice for password
security is to use the hash and provide a reset mechanism for the user.
This way, the only person with access is the user with the password.
Even an Admin user can't gain access without someone noticing (they have
to perform a password reset to get a new password, and the user will
notice this)



Encryption can be used, but this adds complexity:  The private key must
be kept secure.  If the admin uses the private key to get a user's
password, how can you tell?  If the key gets compromised, how do you
change the key?



Hashing is inherently more secure, and is less complex to administer,
which is why it is the preferred method.



________________________________

From: Nicholas Van W. [mailto:removed_email_address@domain.invalid]
Sent: Saturday, November 26, 2005 8:35 AM
To: removed_email_address@domain.invalid
Subject: Re: [Rails] Retrieving SHG Password



I thought it might be something like that.

Anyone have recommendations for something that is retrievable? Maybe
something with a private key that an admin keeps seperate from the
application?

Thanks,
Nick

On 11/25/05, Manuel H. <removed_email_address@domain.invalid> wrote:


Am 25.11.2005 um 23:29 schrieb Nicholas Van W.:

> How does one retrive an encryped password generated with the Salted
> Login Generator?

The whole idea of encrypting a password with MD5 or crypt (which SLG
uses) is that the password is hard - if not impossible - do decrypt.
There is "no way" of retrieving a password.

This secures passwords against stealing a user database, for example.
The only way you can allow users to log in again is to generate a new
password and send it to the email adress they specified on registration.

Regards

Manuel H.
This topic is locked and can not be replied to.