Forum: Ruby on Rails hashed password, send reminder email...impossible?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
6738e5c4f17822f7e163ba938344755d?d=identicon&s=25 Daniel (Guest)
on 2006-06-04 22:22
Is it possible to somehow send an email containing the user password if
it is stored as a md5 hash in the database?

Is it stupid to save the passwords as clear text strings in the db? Its
a web shop.

A workaround would be to generate a new password and send it to the
user. If the user then want to, he may change to another password.

Any other thoughts on this?

//D
693d60c75576b61249b9ede5b0a3d0b2?d=identicon&s=25 Adrian (Guest)
on 2006-06-04 22:26
Daniel wrote:
> Is it possible to somehow send an email containing the user password if
> it is stored as a md5 hash in the database?
>
> Is it stupid to save the passwords as clear text strings in the db? Its
> a web shop.
>
> A workaround would be to generate a new password and send it to the
> user. If the user then want to, he may change to another password.
>
> Any other thoughts on this?
>
> //D

I'd certainly go with generating a new password to send them - they can
always change it when they log-in. Don't save your passwords in plain
text.
5d15c6821f3c3054c04b85471824ba7c?d=identicon&s=25 Kevin Olbrich (Guest)
on 2006-06-04 22:42
(Received via mailing list)
On Sunday, June 04, 2006, at 10:22 PM, Daniel wrote:
>
>//D
>
>--
>Posted via http://www.ruby-forum.com/.
>_______________________________________________
>Rails mailing list
>Rails@lists.rubyonrails.org
>http://lists.rubyonrails.org/mailman/listinfo/rails

You can't get the password back once it's been hashed.
I'd go for your second choice here.

_Kevin
D5145c421cd25af6fa577c15219add90?d=identicon&s=25 unknown (Guest)
on 2006-06-04 23:44
(Received via mailing list)
This is quite important even if it's for something where security
doesn't really matter, because many people choose the same password
for everything. I always cringe when I receive my password (a randomly
generated sequence of 9 alpha-numerics) in an email.
-Nathan

On 4 Jun 2006 20:39:58 -0000, Kevin Olbrich
9d7d8ef2179661d6b30e180fa588cd45?d=identicon&s=25 Calle Dybedahl (Guest)
on 2006-06-05 09:15
(Received via mailing list)
>>>>> "Daniel" == Daniel  <big@chello.se> writes:

> Is it possible to somehow send an email containing the user password if
> it is stored as a md5 hash in the database?

No. That it's impossible is the entire point of the hashing.

> Is it stupid to save the passwords as clear text strings in the db?
> Its a web shop.

It is very bad security practice. If you do that, everybody who gets
access to your database (legitimately or not) can trivially pretend to
be any customer they like.

> A workaround would be to generate a new password and send it to the
> user. If the user then want to, he may change to another password.

This is the right way of doing it. To up the security another notch,
force the user to change their password the first time they log in
with the mailed-out one (mail is not a secure distribution path).
--
		     Calle Dybedahl <calle@cyberpomo.com>
		 http://www.livejournal.com/users/cdybedahl/
      "Women. They don't even make sense when you are one." -- babycola
266a5a439f7071ef1cc0b3b5daf55b88?d=identicon&s=25 Steve Madsen (sjmadsen)
on 2006-06-06 01:47
Calle Dybedahl wrote:
>> A workaround would be to generate a new password and send it to the
>> user. If the user then want to, he may change to another password.
>
> This is the right way of doing it. To up the security another notch,
> force the user to change their password the first time they log in
> with the mailed-out one (mail is not a secure distribution path).

I'd avoid changing the password at all until you have some assurance
that the reset request is legitimate.  Consider the scenario where
someone comes along, tries to log in as you, clicks "I forgot my
password".  Now your password is changed and you can't log in until you
go dig into your email to discover that you need to use something
different.  Let's hope that email isn't lost to an overzealous spam
filter.

I've solved this problem in the past by using a separate column in my
users table where I generate some unguessable token, then email a link
to the user at their email address of record.  The link contains the
token, and if it matches what I have in the DB, I let them change their
password.

Also remember that storing a simple hash of the password is less than
ideal, too.  An attacker that gets your database only has to generate
hashes for his large dictionary of passwords, then compare this to your
DB.  Adding salts (a few characters of randomness) and then MD5'ing
salt+password defeats this attack.
Cffe91a6cc6e6ce8213ed575821dadf7?d=identicon&s=25 Anatoly Mikhailov (mikhailov)
on 2009-01-08 09:18
You can send an e-mail with password reset link.
I use follow code for send uncrypted password, after that system will
encrypt the password
http://www.railsgeek.com/2009/1/6/generate-random-...
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2009-01-08 10:26
(Received via mailing list)
On Jan 8, 8:18 am, Anatoly Mikhailov <rails-mailing-l...@andreas-
s.net> wrote:
> You can send an e-mail with password reset link.
> I use follow code for send uncrypted password, after that system will
> encrypt the passwordhttp://www.railsgeek.com/2009/1/6/generate-random-...

If you're asking whether you can retrieve the password to send it to
forgetful users, the answer is no you can't.

Fred
Cffe91a6cc6e6ce8213ed575821dadf7?d=identicon&s=25 Anatoly Mikhailov (mikhailov)
on 2009-01-08 19:46
(Received via mailing list)
sure, you can't send the forgotten password. So, more secure way is to
store hashed password instead uncrypted one.
I usually send a password's reset link via e-mail.
I just publish an article with using before_on_create callback,
because is more useful way, which declare principe: Skinny
controllers, fat models.
This topic is locked and can not be replied to.