Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

working with hashed passwords in ruby

Tags:

security

ruby

Upfront, I'd like to confess to being a complete newbie to cryptography and password security. I'm trying to store passwords in a database being babysat by ruby. My understanding is that plaintext passwords should be appended to a random "salt" and that whole phrase should be hashed by some hashing algorithm such as:

    Digest::SHA1.hexdigest(salt_plus_plainpassword)

Once that string is stored in the database, how does one get it out again to verify that what the user entered is correct if there was a now unknown random salt appended to it?

like image 779
kmorris511 Avatar asked Jun 01 '09 00:06

kmorris511

2 Answers

The best way to do it is to store the salt is one for each user and it is generated based on the Time at the point they did it.

It's true that once a person has access to your database they can see the salt for users, but if this has happened you have bigger things to worry about.

The way you check your user's password is that you take their clear text input and crypt it with the salt and then compare the crypted_passwords, if they match they are authenticated. I don't believe that storing the salt is an issue as you will need it. If you are worried about SQL injection attacks you are better off securing your application against them rather than not storing information you need, in this case each users salt.

like image 51
nitecoder Avatar answered Oct 04 '22 20:10

nitecoder

Theoretically the salt serves two main purposes. The first is to prevent duplicate passwords to end up with the same hash value on the database. The second is to increase the length of the password, thus also increasing the difficulty of an attacker guessing a password.

But there is the problem of storing the salt, if you insert it on the database the second purpose is somewhat defeated in case someone grabs that data, ideally it should be stored on a different location, but this is only necessary if your application is very sensitive!

If the code of your application is not public, I'd say a possible way to circumvent this issue is to generate the salt based on a static value of each user, like the creation date or username, because if someone reads the database it is unclear whether or not you use salt...

like image 22
Filipe Miguel Fonseca Avatar answered Oct 04 '22 19:10

Filipe Miguel Fonseca
Sign in to Comment

Related questions

Why does Kernel#require raise a LoadError in Ruby?
RubyMine can't find Ruby SDK on Ubuntu
Extract date between single quotes in ruby
Embedded Font Error for Rails Prawn Document
Ruby - when is block executed?
How to optimise code that parses a 2-d array in Ruby
How to install Nokogiri on Ruby 2.7.0
How can I count the number of accesses/queries to database through Mongoid?
Conditional regex in Ruby
Can't install Ruby 2.0.0 through RVM
How does Ruby 1.9 handle character cases in source code?
When is it appropriate to use Time#utc in Rails 2.1?
Error installing newgem on linux
Rails ignoring render and redirect_to
Getting renders to recognize custom routing paths
Fetching 'action_name' or 'controller' from helper spec
best database strategy for a client-based website (Ruby on Rails)
What is your convention for specifying complex SQL queries in Rails?
How do you deploy a Ruby on Rails application on hostgator?
Are there any significant differences between blocks in Ruby vs Groovy?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!