RE: Retrieving SHG Password


#1

This would be completely custom work. Best practice for password
security is to use the hash and provide a reset mechanism for the user.
This way, the only person with access is the user with the password.
Even an Admin user can’t gain access without someone noticing (they have
to perform a password reset to get a new password, and the user will
notice this)

Encryption can be used, but this adds complexity: The private key must
be kept secure. If the admin uses the private key to get a user’s
password, how can you tell? If the key gets compromised, how do you
change the key?

Hashing is inherently more secure, and is less complex to administer,
which is why it is the preferred method.


From: Nicholas Van W. [mailto:removed_email_address@domain.invalid]
Sent: Saturday, November 26, 2005 8:35 AM
To: removed_email_address@domain.invalid
Subject: Re: [Rails] Retrieving SHG Password

I thought it might be something like that.

Anyone have recommendations for something that is retrievable? Maybe
something with a private key that an admin keeps seperate from the
application?

Thanks,
Nick

On 11/25/05, Manuel H. removed_email_address@domain.invalid wrote:

Am 25.11.2005 um 23:29 schrieb Nicholas Van W.:

How does one retrive an encryped password generated with the Salted
Login Generator?

The whole idea of encrypting a password with MD5 or crypt (which SLG
uses) is that the password is hard - if not impossible - do decrypt.
There is “no way” of retrieving a password.

This secures passwords against stealing a user database, for example.
The only way you can allow users to log in again is to generate a new
password and send it to the email adress they specified on registration.

Regards

Manuel H.