Definitely introduce some salt(s) to the string to be hashed. I would recommend the following strategy:
1. Create an UserValidation migration: .. t.column :username, :string t.column :hash, :string t.column :salts, :text .. 2. In your UserValidation model: .. serialize :salts, Array .. 3. The reason to make :salts a serialized array is that you can change the way you are encrypting periodically. So, the basic idea is: .. #### library names and methods are not correct, just to get the idea valid = UserValidation.new valid.salts = [RandomNumber, user.username, ...] valid.hash = SHA1.encrypt(valid.salts.join) valid.save ## sends an e-mail with the hash #### 4. Upon a link being clicked, it then goes through the :salts and checks to make sure the username is within the :hash... -Jordan On 10/11/2006, "Nick Zadrozny" <[EMAIL PROTECTED]> wrote: >On 10/11/06, Patrick Crowley <[EMAIL PROTECTED]> wrote: >> In my case, the SHA-1 token will probably be the user's login or >> email. It just needs to be something unique. > >On 10/11/06, Patrick Crowley <[EMAIL PROTECTED]> wrote: >> So, once I generate the validation token, it's almost certainly >> unique and the SHA-1 number space is large enough that it would be >> painful for bots to try hacking the validation process. > >Seems to me it needs to be unique and non-trivial to guess. If I were >to try breaking such a system, I'd go through the process manually and >try hashing all the possible combinations of input I submitted to see >if I could reproduce the same hash. > >So long as you can make that process reasonably non-trivial it seems >you should be good to go. If I were you I'd consider using more than >one piece of information, or adding some kind of salt. But, like I >said, I've never done new account validation before, so I'm sure >someone else will have better input :) > >-- >Nick Zadrozny >_______________________________________________ >Sdruby mailing list >[email protected] >http://lists.sdruby.com/mailman/listinfo/sdruby _______________________________________________ Sdruby mailing list [email protected] http://lists.sdruby.com/mailman/listinfo/sdruby
