On 24 August 2011 02:54, Curtis Schofield <[email protected]> wrote: > your ui descision seems strange - not only do i have to remembery password - > but a different password is going to give me different access???? > > How do i reset my password???
The OP is not using the password as a password but as an extension of the user name, to allow a single user to have separate 'accounts' via separate passwords. Why he does not just add an account number and keep the password as a password is unknown. Colin > > On Aug 23, 2011 7:30 AM, "billv" <[email protected]> wrote: >> >> Oh, I understand the security implications. This is the result of a UI >> design decision. I won't waste space here with the why's of the >> matter. Suffice it to say a single username (email) will have >> multiple passwords. Each password will identify a separate account >> for that same username (email). Obviously, we should enable a single >> user to access multiple accounts, but we're not ready to do that right >> now. >> >> I also do not mean to suggest the salt should go away. I mostly want >> to control what it is. If I can use the same salt for each of the >> username passwords, the hashes will match and then I can validate to >> be sure that they don't. >> >> It's a bit twisted that my reason for wanting the hashes to be the >> same is so I can force them to be different, but there it is. >> >> >> On Aug 23, 10:04 am, Robert Walker <[email protected]> wrote: >> > billv wrote in post #1018052: >> > >> > > I'm using the has_secure_password function in my Rails 3.1 model. I >> > > need to verify that the passwords are unique. The has_secure_password >> > > function stores the password in a bcrypt hash. It appears the hashes >> > > are created with a salt unique to the record, therefore the hash is >> > > unique even for the same password. Does anyone know a way around >> > > this? >> > >> > > As an example. If I create two users with the username "user" and the >> > > password "password", the saved password_digest for each will be >> > > different. Because I don't store the password itself, I can't check >> > > to be sure the passwords are unique. >> > >> > So you are proposing to significantly reduce security of your passwords >> > in order to ensure that two users don't happen to use the same password? >> > Sounds counterproductive to me. >> > >> > Do you understand the reason, and security advantage, of salted hashes? >> > >> > What you need to worry about is making sure your users use strong >> > passwords, not whether two users use the same one. >> > >> > Bottom line is that a lot of thought, by some really smart people, came >> > up with the techniques used for securing computer systems. If you try to >> > outthink them, chances are likely that you'll end up lessening the >> > security of your system not strengthening it. >> > >> > -- >> > Posted viahttp://www.ruby-forum.com/. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Talk" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/rubyonrails-talk?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-talk?hl=en. > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
