发表新帖
发表新帖

Encryption-Decryption in Rails

前端 未结
关注
5 1099
悲哀的现实
悲哀的现实 2020-12-18 04:09

I am using require \'digest/sha1\' to encrypt my password and save into database. During login I authenticate by matching the encrypted password saved in databa

相关标签:
5条回答
  • 离开以前
    2020-12-18 04:24

    As Horace Ho explained, you should never encrypt a password but always store a crypted salt.

    However, it's perfectly fine to crypt other kind of data, such as confidential information. Encryptor it's a simple but powerful wrapper for OpenSSL. It provides the ability to encrypt/decrypt attributes in any class.

    0 讨论(0)
  • 孤街浪徒
    2020-12-18 04:24

    Look at the ezcrypto gem: http://ezcrypto.rubyforge.org/

    There's also the crypt gem, look at Blowfish : http://crypt.rubyforge.org

    0 讨论(0)
  • 闹比i
    2020-12-18 04:30

    To do two-way encryption on other database fields checkout the attr_enrypted gem

    https://github.com/shuber/attr_encrypted

    But as others mentioned you wouldn't want to do this on a password. Passwords should be stored one way. For forgotten password functionality you usually email them an impossible-to-guess url that would let them choose a new password.

    There is an example here: http://railscasts.com/episodes/274-remember-me-reset-password?view=asciicast

    0 讨论(0)
  • 梦如初夏
    2020-12-18 04:32

    SHA1 is a one way function you can't reverse it.

    This may be of interest re password resets: http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic/

    If you want to do encryption/decryption then you should use something like AES. Once you start using encryption/decryption, however, you'll also have to start worrying about key management too.

    Regarding your comment to the OP below - if you are going to to be storing CC info, I would advise you get a security person in who knows about crypto, key management etc and who also understands the relevant legal and regulatory aspects.

    0 讨论(0)
  • 小鲜肉
    2020-12-18 04:43

    don't encrypt a password. instead, stored the hash of a password (better with a salt).

    to forget a password usually means (re-)authentication via another channel, say, an email notification of password reset.

    watch http://railscasts.com/episodes/209-introducing-devise if you need something already pre-built.

    edit: if you really need encryption, google "openssl ruby"

    there is never a simple solution for secure work. how good your implementation is determined by the weakness link.

    so, my recommendation is, don't count on a short answer on SO ;-)

    0 讨论(0)
 看不清?
提交回复
热议问题