This is quite important even if it’s for something where security
doesn’t really matter, because many people choose the same password
for everything. I always cringe when I receive my password (a randomly
generated sequence of 9 alpha-numerics) in an email.
-Nathan
Is it possible to somehow send an email containing the user password if
it is stored as a md5 hash in the database?
No. That it’s impossible is the entire point of the hashing.
Is it stupid to save the passwords as clear text strings in the db?
Its a web shop.
It is very bad security practice. If you do that, everybody who gets
access to your database (legitimately or not) can trivially pretend to
be any customer they like.
A workaround would be to generate a new password and send it to the
user. If the user then want to, he may change to another password.
This is the right way of doing it. To up the security another notch,
force the user to change their password the first time they log in
with the mailed-out one (mail is not a secure distribution path).
Calle D. <[email protected]>
http://www.livejournal.com/users/cdybedahl/
"Women. They don't even make sense when you are one." -- babycola
A workaround would be to generate a new password and send it to the
user. If the user then want to, he may change to another password.
This is the right way of doing it. To up the security another notch,
force the user to change their password the first time they log in
with the mailed-out one (mail is not a secure distribution path).
I’d avoid changing the password at all until you have some assurance
that the reset request is legitimate. Consider the scenario where
someone comes along, tries to log in as you, clicks “I forgot my
password”. Now your password is changed and you can’t log in until you
go dig into your email to discover that you need to use something
different. Let’s hope that email isn’t lost to an overzealous spam
filter.
I’ve solved this problem in the past by using a separate column in my
users table where I generate some unguessable token, then email a link
to the user at their email address of record. The link contains the
token, and if it matches what I have in the DB, I let them change their
password.
Also remember that storing a simple hash of the password is less than
ideal, too. An attacker that gets your database only has to generate
hashes for his large dictionary of passwords, then compare this to your
DB. Adding salts (a few characters of randomness) and then MD5’ing
salt+password defeats this attack.
sure, you can’t send the forgotten password. So, more secure way is to
store hashed password instead uncrypted one.
I usually send a password’s reset link via e-mail.
I just publish an article with using before_on_create callback,
because is more useful way, which declare principe: Skinny
controllers, fat models.
On Jan 8, 8:18 am, Anatoly M. <rails-mailing-l…@andreas- s.net> wrote:
You can send an e-mail with password reset link.
I use follow code for send uncrypted password, after that system will
encrypt the passwordhttp://www.railsgeek.com/2009/1/6/generate-random-password-in-rails
If you’re asking whether you can retrieve the password to send it to
forgetful users, the answer is no you can’t.
Fred
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.