Forum: Ruby on Rails Emailing lost passwords

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
E65d5a8983bbd47e66361a7ab68be659?d=identicon&s=25 Gerry Shaw (Guest)
on 2006-01-09 02:12
This might be a stupid question and if so then humor me with smart
remark and the answer :)

I want to have a feature on my site that allows me to email forgotten
passwords back to the user (like what Backpack does).  Now I'm currently
encrypting the user's password + salt before saving to the database
using code borrowed from the LoginGenerator.

The question I have is there any way to get the user's password after if
it's been SHA1'ed or do I have store the user's password as plain text
in the database?

If I have to store is plain text, isn't that a bit insecure?  And if so
why does backpack (and I'm assuming others do it?)

If I want to have the password encrypted in the database is my only
option to change their password ot a new value?

Thanks!
6993d6b4b6d882f421e1b45ac147f3e0?d=identicon&s=25 Scott Barron (Guest)
on 2006-01-09 02:31
(Received via mailing list)
On Mon, Jan 09, 2006 at 02:12:21AM +0100, Gerry Shaw wrote:
> in the database?
>
> If I have to store is plain text, isn't that a bit insecure?  And if so
> why does backpack (and I'm assuming others do it?)
>
> If I want to have the password encrypted in the database is my only
> option to change their password ot a new value?
>
> Thanks!
>

Nope, you can't un-SHA1 the password.  The only way to send it back is
to store it plain text (or use encryption, which is fairly pointless).
It's marginally less secure, if someone gets access to your database; at
which point they've got all the data anyway.  It's a tradeoff of
convenience for a slight decrease in security.

-Scott
E65d5a8983bbd47e66361a7ab68be659?d=identicon&s=25 Gerry Shaw (Guest)
on 2006-01-09 02:34
Thanks for the sanity check (and quick reply).  Just checking to make
sure I wasn't missing anything obvious.
455ac2a64d06dc8461f4d258d7f7e980?d=identicon&s=25 Michael Trier (Guest)
on 2006-01-09 02:37
(Received via mailing list)
For security reasons I've always taken the approach of using an
algorithm to
generate a new strong password, change the user's password, and then
email
that to the user.  I think most users will appreciate the fact that
you've
created a new secure password for them.  At least it gives them a
feeling
that their password is not out in the open.

Michael Trier
This topic is locked and can not be replied to.