AWDwR Login Question

In the following code there is a comparison of the password stored in
the database with the
password entered by the user. Since the salt is created by appending a
random number, how come it
matches with what is stored in the database?

def self.authenticate(name, password)
user = self.find_by_name(name)
if user
expected_password = encrypted_password(password, user.salt)
if user.hashed_password != expected_password
user = nil
end
end
user

create_new_salt
self.hashed_password = User.encrypted_password(self.password, self.salt)
end
private
def self.encrypted_password(password, salt)
string_to_hash = password + “wibble” + salt # ‘wibble’ makes it harder
to guess
Digest::SHA1.hexdigest(string_to_hash)
end
def create_new_salt
self.salt = self.object_id.to_s + rand.to_s
end
end

TIA.

On Sat, 14 Oct 2006 18:39:16 -0700 (PDT), Bala P. wrote:

In the following code there is a comparison of the password stored in the database with the
password entered by the user. Since the salt is created by appending a random number, how come it
matches with what is stored in the database?

The salt’s created only the first time it’s needed; after that, it’s
always
the same (note that it’s stored in the user’s record). So it’s “random”
to
anyone trying a dictionary attack, but perfectly deterministic to your
application.

Jay L.

On Oct 14, 2006, at 8:39 PM, Bala P. wrote:

In the following code there is a comparison of the password stored
in the database with the
password entered by the user. Since the salt is created by
appending a random number, how come it
matches with what is stored in the database?

The salt is stored in the user record when it is created.

Cheers

Dave

Bala P. wrote:

In the following code there is a comparison of the password stored in
the database with the
password entered by the user. Since the salt is created by appending a
random number, how come it
matches with what is stored in the database?

def self.authenticate(name, password)
user = self.find_by_name(name)
if user
expected_password = encrypted_password(password, user.salt)
if user.hashed_password != expected_password
user = nil
end
end
user

create_new_salt
self.hashed_password = User.encrypted_password(self.password, self.salt)
end
private
def self.encrypted_password(password, salt)
string_to_hash = password + “wibble” + salt # ‘wibble’ makes it harder
to guess
Digest::SHA1.hexdigest(string_to_hash)
end
def create_new_salt
self.salt = self.object_id.to_s + rand.to_s
end
end

TIA.

You can be more secure. Store in the database encrypted salt

def create_new_salt
self.salt = Digest::SHA1.hexdigest(self.object_id.to_s + rand.to_s)
end

and even more - do the same whith password before concatenate it with
salt.
and even more - use Digest::SHA1.hexdigest for password and salt
and Digest::SHA256.hexdigest for hashed_password ( require
‘digest/sha2’)

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs