Oh, I understand the security implications. This is the result of a UI design decision. I won't waste space here with the why's of the matter. Suffice it to say a single username (email) will have multiple passwords. Each password will identify a separate account for that same username (email). Obviously, we should enable a single user to access multiple accounts, but we're not ready to do that right now.
I also do not mean to suggest the salt should go away. I mostly want to control what it is. If I can use the same salt for each of the username passwords, the hashes will match and then I can validate to be sure that they don't. It's a bit twisted that my reason for wanting the hashes to be the same is so I can force them to be different, but there it is. On Aug 23, 10:04 am, Robert Walker <[email protected]> wrote: > billv wrote in post #1018052: > > > I'm using the has_secure_password function in my Rails 3.1 model. I > > need to verify that the passwords are unique. The has_secure_password > > function stores the password in a bcrypt hash. It appears the hashes > > are created with a salt unique to the record, therefore the hash is > > unique even for the same password. Does anyone know a way around > > this? > > > As an example. If I create two users with the username "user" and the > > password "password", the saved password_digest for each will be > > different. Because I don't store the password itself, I can't check > > to be sure the passwords are unique. > > So you are proposing to significantly reduce security of your passwords > in order to ensure that two users don't happen to use the same password? > Sounds counterproductive to me. > > Do you understand the reason, and security advantage, of salted hashes? > > What you need to worry about is making sure your users use strong > passwords, not whether two users use the same one. > > Bottom line is that a lot of thought, by some really smart people, came > up with the techniques used for securing computer systems. If you try to > outthink them, chances are likely that you'll end up lessening the > security of your system not strengthening it. > > -- > Posted viahttp://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
