Decryption encryption in Rails

Question

Decryption encryption in Rails

I use require 'digest/sha1' to encrypt my password and save it to the database. During login, I authenticate by matching the encrypted password stored in the database, and again encrypts the one that is used to enter the password in the field. At the moment, everything is working fine, but now I want to use the "Forgot Password" functionality. To do this, I need to decrypt the password that is stored in the database in order to find the original one. How to decrypt using digest/sha1 ? Or does anyone know any algorithm that also supports encryption and decryption?

I use ruby on rails, so I need Ruby to execute it.

+6

ruby ruby-on-rails encryption

Salil Apr 26 '10 at 7:27

source share

5 answers

do not encrypt password. instead, saved a password hash (preferably with salt).

to forget the password usually means (re) authentication through another channel, say, reset email notification about password.

see http://railscasts.com/episodes/209-introducing-devise if you need something ready-made.

edit: if you really need encryption google "openssl ruby"

There is never a simple solution for safe operation. how well your implementation is determined by reference to weakness.

therefore, my recommendation, do not count on a short answer to SO; -)

+6

ohho Apr 26 '10 at 7:32

source share

As Horace Ho explained, you should never encrypt your password, but always keep the encrypted salt.

However, it is great for encrypting other data, such as confidential information. Encryptor is a simple but powerful wrapper for OpenSSL. It provides the ability to encrypt / decrypt attributes in any class.

+2

Simone carletti Apr 26 '10 at 9:41

source share

Look at the ezcrypto gem: http://ezcrypto.rubyforge.org/

There's also a crypto stone, look at Blowfish: http://crypt.rubyforge.org

+1

the tin man Apr 26 '10 at 8:23

source share

To perform two-way encryption in other fields of the database, check attr_enrypted gem

https://github.com/shuber/attr_encrypted

But, as others have said, you will not want to do this with a password. Passwords should be stored in one direction. For forgotten password functions, you usually send them an email with an impossible guess, which will allow them to choose a new password.

Here is an example: http://railscasts.com/episodes/274-remember-me-reset-password?view=asciicast

+1

Brian armstrong Feb 01 '12 at 6:32

source share

bignum · Accepted Answer · 2010-04-26T07:34:26+0000

SHA1 is a one-way function that you cannot cancel.

This may be of interest for password reset: http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic/

If you want to do encryption / decryption, you should use something like AES . However, if you start using encryption / decryption, you will also have to start worrying about key management.

Regarding your comment on the OP below - if you are going to store CC information, I would advise you to get a security officer who knows about cryptography, key management, etc., and also understands the relevant legal and regulatory aspects.

Decryption encryption in Rails

More articles: