Bora Boyoz
Reputation: 3
Password security problems
A web service stores user information in a database and uses passwords for authentication. Here's how the user password storing and authentication is implemented in ruby (the actual data storage and retrieval is outside the scope of the example):
require 'digest'
class User
# Use salted passwords
PASSWORD_SALT="trustno1"
# Stored password hash will be accessible through user.hashed_password
attr_accessor :hashed_password
# Authenticates user against given password and returns true
# the password matches the stored one
def verify_password(password)
if hashed_password.nil? || password.nil?
false
else
User.hash_password(password) == hashed_password
end
end
# Changes user's password
def change_password(new_password)
self.hashed_password = User.hash_password(new_password.to_s)
end
# Hashes the input with salt
def self.hash_password(password)
Digest::MD5.hexdigest(password + PASSWORD_SALT)
end
end
However, I'm told that I have problems related to password security but I couldn't find any problem.
Upvotes: 0
Views: 362
Answers (1)
Niklas
Reputation: 298
If you really want to implement this yourself in rails, you should use ActiveModel::SecurePassword::ClassMethods.
Your biggest problem is that you are trying to implement this by yourself. It is too easy to screw this up.
Upvotes: 1
Related Questions
- Securely providing the database password in a Rails app
- Using secret passwords in Rails App
- Storing passwords in a database
- Rails has_secure_password authentication errors
- Strong password in ruby
- Rails authentication not reacting to wrong username or password
- Ruby on Rails gem to make passwords more secure?
- rails password update validation issue
- rails - Creating a Secure ID / Password
- working with hashed passwords in ruby