From: “trevor” email@example.com
i’m not being sarcastic…i just don’t quite get it…
It’s kind of a client vs. server issue. The server (the database in
case) can indeed store passwords in some hashed representation.
But the client (rails in this case) has to connect to the database and
send the clear password to the database.
So, the best rails (as a client of the database) could do, is attempt
to obscure the password (as the CVS client does in its .cvspass files.)
But obscuring the password on the client side is not really secure,
because the client has to be able to turn the obscured password back
into cleartext in order to gain access to the server (the database.)
So if the passwords are merely obscured, and your file permissions
are wrong, then anybody who can see the obscured passwords can
turn them back into cleartext with the same algorithm the legitimate
client must use in order to supply the password to the server.
So file permissions are really the only real defense (that i know of)
against passwords on the client side being seen by unauthorized