Hashed password, send reminder email...impossible?

Is it possible to somehow send an email containing the user password if
it is stored as a md5 hash in the database?

Is it stupid to save the passwords as clear text strings in the db? Its
a web shop.

A workaround would be to generate a new password and send it to the
user. If the user then want to, he may change to another password.

Any other thoughts on this?

//D

On Sunday, June 04, 2006, at 10:22 PM, Daniel wrote:

//D


Posted via http://www.ruby-forum.com/.


Rails mailing list
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails

You can’t get the password back once it’s been hashed.
I’d go for your second choice here.

_Kevin

This is quite important even if it’s for something where security
doesn’t really matter, because many people choose the same password
for everything. I always cringe when I receive my password (a randomly
generated sequence of 9 alpha-numerics) in an email.
-Nathan

On 4 Jun 2006 20:39:58 -0000, Kevin O.

“Daniel” == Daniel [email protected] writes:

Is it possible to somehow send an email containing the user password if
it is stored as a md5 hash in the database?

No. That it’s impossible is the entire point of the hashing.

Is it stupid to save the passwords as clear text strings in the db?
Its a web shop.

It is very bad security practice. If you do that, everybody who gets
access to your database (legitimately or not) can trivially pretend to
be any customer they like.

A workaround would be to generate a new password and send it to the
user. If the user then want to, he may change to another password.

This is the right way of doing it. To up the security another notch,
force the user to change their password the first time they log in
with the mailed-out one (mail is not a secure distribution path).

	     Calle D. <[email protected]>
	 http://www.livejournal.com/users/cdybedahl/
  "Women. They don't even make sense when you are one." -- babycola

Calle D. wrote:

A workaround would be to generate a new password and send it to the
user. If the user then want to, he may change to another password.

This is the right way of doing it. To up the security another notch,
force the user to change their password the first time they log in
with the mailed-out one (mail is not a secure distribution path).

I’d avoid changing the password at all until you have some assurance
that the reset request is legitimate. Consider the scenario where
someone comes along, tries to log in as you, clicks “I forgot my
password”. Now your password is changed and you can’t log in until you
go dig into your email to discover that you need to use something
different. Let’s hope that email isn’t lost to an overzealous spam
filter.

I’ve solved this problem in the past by using a separate column in my
users table where I generate some unguessable token, then email a link
to the user at their email address of record. The link contains the
token, and if it matches what I have in the DB, I let them change their
password.

Also remember that storing a simple hash of the password is less than
ideal, too. An attacker that gets your database only has to generate
hashes for his large dictionary of passwords, then compare this to your
DB. Adding salts (a few characters of randomness) and then MD5’ing
salt+password defeats this attack.

You can send an e-mail with password reset link.
I use follow code for send uncrypted password, after that system will
encrypt the password
http://www.railsgeek.com/2009/1/6/generate-random-password-in-rails

Daniel wrote:

Is it possible to somehow send an email containing the user password if
it is stored as a md5 hash in the database?

Is it stupid to save the passwords as clear text strings in the db? Its
a web shop.

A workaround would be to generate a new password and send it to the
user. If the user then want to, he may change to another password.

Any other thoughts on this?

//D

I’d certainly go with generating a new password to send them - they can
always change it when they log-in. Don’t save your passwords in plain
text.

sure, you can’t send the forgotten password. So, more secure way is to
store hashed password instead uncrypted one.
I usually send a password’s reset link via e-mail.
I just publish an article with using before_on_create callback,
because is more useful way, which declare principe: Skinny
controllers, fat models.

On Jan 8, 8:18 am, Anatoly M. <rails-mailing-l…@andreas-
s.net> wrote:

You can send an e-mail with password reset link.
I use follow code for send uncrypted password, after that system will
encrypt the passwordhttp://www.railsgeek.com/2009/1/6/generate-random-password-in-rails

If you’re asking whether you can retrieve the password to send it to
forgetful users, the answer is no you can’t.

Fred

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs