Storing encrypted passwords in the database

casper_the_ghost · January 18, 2008, 12:02am

Hi,

I have a password column in my customer table. Right now, the
scaffolding saves the passsword in plain text. If I wanted to store
the password in an encrypted form, what is the easiest way of doing
that?

Much thanks, - Dave

casper_the_ghost · January 18, 2008, 12:14am

Have a look at what acts_as_authenticated/restful_authentication does.

On Jan 18, 2008 9:32 AM, [email protected] <
[email protected]> wrote:

–
Ryan B.

Feel free to add me to MSN and/or GTalk as this email.

casper_the_ghost · January 18, 2008, 12:59am

Ditto on the plugins Ryan mentioned. It’s important to note that you
shouldn’t store the encrypted password – instead, you should store a
salted hash, which is much more secure. There are lots of resources that
discuss how and why.

casper_the_ghost · January 18, 2008, 1:52am

I would recommend the same, except SHA256 instead of the SHA1 that
restful authentication uses.

casper_the_ghost · January 18, 2008, 11:26pm

Those plugins generate code that you can put anywhere. If you want to
keep an existing table, you could add all of restful_authentication’s
fields to that table and just copy the generated User model code into
your Customer model. Or, it might be easier to do it the other way
around.

On Jan 18, 3:09 pm, “[email protected]”

casper_the_ghost · January 19, 2008, 12:59am

I like this idea (doing it the other way around, that is).

I have a follow up question on the subject of encryption/salted
hashes. If I want to (for lack of a better word) encrypt some of the
other fields in the database, can I use the plugin(s) above to do
that? Otherwise, how would you recommend I get it done?

Thanks, - Dave

casper_the_ghost · January 18, 2008, 11:10pm

Regarding the resultful_authentication (since it seems
acts_as_authenticated is deprecated), how would I configure my app so
that restful_authentication uses an existing table I have (customer)
with its fields (customer.username, customer.password)?

Thanks, - Dave

casper_the_ghost · January 19, 2008, 1:35am

You could use the same methods in those plugins. The way it works is
the data is run through a one-way hashing function. You store this
hash in the database. Of future requests, you must hash the user input
then compare it to the hash you have in the database. It’s one way
though, so there is no feasible way to know what the original data was

only the hash that was derived from it. This is why most
authentication systems require you to “reset” your password instead of
just telling you the original - they don’t know the original password.

On Jan 18, 4:58 pm, “[email protected]”