your ui descision seems strange - not only do i have to remembery password - but a different password is going to give me different access????
How do i reset my password??? On Aug 23, 2011 7:30 AM, "billv" <[email protected]> wrote: > > Oh, I understand the security implications. This is the result of a UI > design decision. I won't waste space here with the why's of the > matter. Suffice it to say a single username (email) will have > multiple passwords. Each password will identify a separate account > for that same username (email). Obviously, we should enable a single > user to access multiple accounts, but we're not ready to do that right > now. > > I also do not mean to suggest the salt should go away. I mostly want > to control what it is. If I can use the same salt for each of the > username passwords, the hashes will match and then I can validate to > be sure that they don't. > > It's a bit twisted that my reason for wanting the hashes to be the > same is so I can force them to be different, but there it is. > > > On Aug 23, 10:04 am, Robert Walker <[email protected]> wrote: > > billv wrote in post #1018052: > > > > > I'm using the has_secure_password function in my Rails 3.1 model. I > > > need to verify that the passwords are unique. The has_secure_password > > > function stores the password in a bcrypt hash. It appears the hashes > > > are created with a salt unique to the record, therefore the hash is > > > unique even for the same password. Does anyone know a way around > > > this? > > > > > As an example. If I create two users with the username "user" and the > > > password "password", the saved password_digest for each will be > > > different. Because I don't store the password itself, I can't check > > > to be sure the passwords are unique. > > > > So you are proposing to significantly reduce security of your passwords > > in order to ensure that two users don't happen to use the same password? > > Sounds counterproductive to me. > > > > Do you understand the reason, and security advantage, of salted hashes? > > > > What you need to worry about is making sure your users use strong > > passwords, not whether two users use the same one. > > > > Bottom line is that a lot of thought, by some really smart people, came > > up with the techniques used for securing computer systems. If you try to > > outthink them, chances are likely that you'll end up lessening the > > security of your system not strengthening it. > > > > -- > > Posted viahttp://www.ruby-forum.com/. > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to [email protected]. > For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en. > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
