Forum: Ruby on Rails How to mail decrypted password to user?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Prashant T. (Guest)
on 2006-06-09 11:50
Hi,
I am using acts_as_athenticated plugin for my rails application. That
plugin is using "SHA1" algorithm to encrypt password & stroe it into
database. Now in future suppose user requsted his password through
email, hhow should I decrypt that password in my application & for
sending it through mail?

Please help me.
I am trying this since last 2 days. But still not succeeded.

Thanx in advance for ur help.
Prash
Yannick M. (Guest)
on 2006-06-09 12:00
(Received via mailing list)
Prashant T. wrote:
> Thanx in advance for ur help.
> Prash
>
>
 SHA1 is a hash algorithm, it can't be decrypted. In your application, a
user's password is verified by hashing the submitted password with SHA1
algorithm and comparing this value with the stored SHA1 hash value. It
is never decrypted. If you want to email a password to your user, set a
new one, that they optionnaly can change after the next login.

 Please also note that emailing password is just not secure (email is
sent in clear text over the network),  although it is common practice...
But so is logging in without SSL, which is also common.

--
----------------------------------------------------------------------
Yannick M. http://www.inma.ucl.ac.be/~majoros
Informaticien UCL/INMA-MEMA
4, avenue G. Lemaître
B-1348 Louvain-la-Neuve
Tel: +32-10-47.80.10
Fax: +32-10-47.21.80
Isak H. (Guest)
on 2006-06-09 12:52
(Received via mailing list)
On 6/9/06, Yannick M. <removed_email_address@domain.invalid> wrote:
> >
> > Thanx in advance for ur help.
> > Prash
> >
> >
>  SHA1 is a hash algorithm, it can't be decrypted. In your application, a
> user's password is verified by hashing the submitted password with SHA1
> algorithm and comparing this value with the stored SHA1 hash value. It
> is never decrypted. If you want to email a password to your user, set a
> new one, that they optionnaly can change after the next login.

Or better yet, leave the password alone and generate some kind of
temporary login token that you mail them. Don't want people reseting
others' password.

Isak
This topic is locked and can not be replied to.