Valid hashed passwords


#1

Hey all - just wanted to check if I’m going about this in the right
way…

I have class User, user has a password

Password should only be valid if it’s between 6 and 16 chars in
length.

New user is created if everything is valid and it’s stored to the db.

After saving to the database, the password is then hashed making it
over 16 chars in length.

The User record no longer passes validation.

In the past I’ve just figured this wasn’t an issue; just make sure the
object is valid before saving it to the db.

However, if using validates_associated on any of a Users children, the
child object becomes invalid becuase the user is no longer passing
validation

In the past I’ve just dropped the validates_associated as it wasn’t
stricly neccessary. - I’d just make sure I always called
User.children.create

Is there a better way to handle this?


#2

Gavin M. wrote:

Hey all - just wanted to check if I’m going about this in the right
way…

I have class User, user has a password

Password should only be valid if it’s between 6 and 16 chars in
length.

Fist of all, don’t limit the length of a user’s password. At least not
down to 16 chars. All you’re doing is limiting the level of security the
use can have. If they want 20 or even 30 or 40 character passwords, so
what. I use long random passwords all the time in combination with a
password manager.

New user is created if everything is valid and it’s stored to the db.

After saving to the database, the password is then hashed making it
over 16 chars in length.

SHA1, or whatever message digest (hash), algorithm is always going to be
the same length no matter how long, or short, the cleartext password is
so there’s no reason to put any limitations on the cleartext password.

The User record no longer passes validation.

Don’t hack off the end of your message digest and this wont happen.

In the past I’ve just figured this wasn’t an issue; just make sure the
object is valid before saving it to the db.

You figured wrong. :slight_smile:

However, if using validates_associated on any of a Users children, the
child object becomes invalid becuase the user is no longer passing
validation

In the past I’ve just dropped the validates_associated as it wasn’t
stricly neccessary. - I’d just make sure I always called
User.children.create

Is there a better way to handle this?

In a word yes. See above.


#3

Don’t store the plain text and the hashed password in the same
column. Create the methods for the plain text password in your model
and store the hashed (and salted and stretched I hope) value in the
database. Then fix your validation, since the model should be
checking the password before hashing, not as part of the validation.


#4

Gottit - thank you both for clearing that up