Pragmatic Forums | Store Passwords Securely comments

Sep 29, 2008 10:48pm

Johan Allard 2 posts

Hi,

I just decided to implement the store passwords securely recipe and one thing that doesn’t make sense with is that since it’s using the password attribute when reading the password, this means that in my edit page, there’s now the encrypted password string being displayed in the password field, where’s I’d want it to be blank until I actually change the password for that particular user. Or am I missing something?

Cheers

Johan

Sep 30, 2008 12:01am

Johan Allard 2 posts

Ok, I’ve now updated some of the code and changed the following:


  def password_hash # instead of def password
    @password_hash ||= BCrypt::Password.new(self.hashed_password)
  end

    def self.authenticate(name, password)
    if user = self.find_by_name(name)
      user = nil if user.password_hash != password
    end
    user
  end

This will leave the password variable blank and won’t show up in the users password field, but will still be hashed properly when the password is set.

Oct 1, 2008 4:27pm

Maik Schmidt 10 posts

Johan:

I’m not sure if I’ve fully understood your problem. I suppose you’ve created views for creating and editing users and you’ve used Rails’ form_for() helper to manage a user’s attributes. And when editing a user the password’s hash value appeared in the password field?

Of course, your solution works, but wouldn’t it be easier to initialize the password fields in the edit view:

<%= password_field “password”, :value=>”” %>

This way you could set whatever default value you like and you could still name the password attribute “password”, which is slightly better than “password_hash” in my opinion.

Cheers,

Maik

Jan 2, 2009 5:59pm

Cody Russell 1 post

I don’t know much about cryptology or anything, and now I’m presented with two different options for authenticating users and storing passwords and I’m not sure which is the better one to use.

The first is Recipe #31 from Chad Fowler’s Rails Recipes book, and the second is yours.

Can you, or anyone really, tell me which of the two is the more modern/preferred/secure way of doing it?

Jan 2, 2009 7:18pm

Maik Schmidt 10 posts

Cody:

The bcrypt approach is more secure, I think. bcrypt is used by OpenBSD and has been developed especially for hashing passwords. SHA, MD5 and friends were designed for calculating unique fingerprints of large amounts of data as fast as possible.

Under the hood bcrypt also hashes the password adding some salt, but it uses a hash algorithm that is computationally expensive. This makes it much more difficult to crack a password, because the attacker has to use the expensive algorithm, too.

In the section titled “How bcrypt() works” at http://bcrypt-ruby.rubyforge.org/ you can find a short and nice description of bcrypt.

Cheers,

Maik

Store Passwords Securely comments

Discussions

Voices

Sep 29, 2008 10:48pm Johan Allard 2 posts	Hi, I just decided to implement the store passwords securely recipe and one thing that doesn’t make sense with is that since it’s using the password attribute when reading the password, this means that in my edit page, there’s now the encrypted password string being displayed in the password field, where’s I’d want it to be blank until I actually change the password for that particular user. Or am I missing something? Cheers Johan

Sep 30, 2008 12:01am Johan Allard 2 posts	Ok, I’ve now updated some of the code and changed the following: `def password_hash # instead of def password @password_hash \|\|= BCrypt::Password.new(self.hashed_password) end def self.authenticate(name, password) if user = self.find_by_name(name) user = nil if user.password_hash != password end user end` This will leave the password variable blank and won’t show up in the users password field, but will still be hashed properly when the password is set.

Oct 1, 2008 4:27pm Maik Schmidt 10 posts	Johan: I’m not sure if I’ve fully understood your problem. I suppose you’ve created views for creating and editing users and you’ve used Rails’ form_for() helper to manage a user’s attributes. And when editing a user the password’s hash value appeared in the password field? Of course, your solution works, but wouldn’t it be easier to initialize the password fields in the edit view: <%= password_field “password”, :value=>”” %> This way you could set whatever default value you like and you could still name the password attribute “password”, which is slightly better than “password_hash” in my opinion. Cheers, Maik

Jan 2, 2009 5:59pm Cody Russell 1 post	I don’t know much about cryptology or anything, and now I’m presented with two different options for authenticating users and storing passwords and I’m not sure which is the better one to use. The first is Recipe #31 from Chad Fowler’s Rails Recipes book, and the second is yours. Can you, or anyone really, tell me which of the two is the more modern/preferred/secure way of doing it?

Jan 2, 2009 7:18pm Maik Schmidt 10 posts	Cody: The bcrypt approach is more secure, I think. bcrypt is used by OpenBSD and has been developed especially for hashing passwords. SHA, MD5 and friends were designed for calculating unique fingerprints of large amounts of data as fast as possible. Under the hood bcrypt also hashes the password adding some salt, but it uses a hash algorithm that is computationally expensive. This makes it much more difficult to crack a password, because the attacker has to use the expensive algorithm, too. In the section titled “How bcrypt() works” at http://bcrypt-ruby.rubyforge.org/ you can find a short and nice description of bcrypt. Cheers, Maik