I'm beginner with Rails 5, i would appreciate your help.
I have an user model, where obviously save a password for the user for a possible login.
The thing is i want to set the password automatically based on a text_field called identification_number.
Everything I've read is about doing it with Devise gem, but I'm not using it and also don't want to.
Once again, thanks for your help.
The password field is just another string field called :identification_number for your case.
But, saving password in the DB as plain strings is highly unrecommended.
There are a lot of security issues if you save the passwords as plain strings on your database.
Some of them are that:
You have full access on the passwords of your users
If someone, somehow manages to access your database they will also have full access to the passwords of your users.
In order to avoid these issues, most of the applications save the password strings as encrypted strings with some kind of salt for enhanced entropy.
With a quick google search I found some relevant blog posts that can help you build the password encryption from scratch, such as:
Without using a gem:
https://www.sitepoint.com/rails-userpassword-authentication-from-scratch-part-i/
Using some gems:
http://railscasts.com/episodes/250-authentication-from-scratch?view=asciicast
Apart from that, the password is not an identification_number. I would not use that name. The password is not used to identify the user. The id is most of the time the identification number. Better just call it :password. Also, it does not need to be a text field, it shouldn't be that long.
You can use bcrypt gem for implementing the secure password.
The bcrypt ruby gem provides you with has_secure_password method. The has_secure_password method encrypts passwords by hashing and salting the passwords and generate ‘password_digest’.
you can refer this link for more info
Related
I'm currently developing a new application, I had made one in the past and I had done all the users manually but now I'm looking to use the best way possible to implement my users. I had thought in the past of using the gem but because of time reasons I didn't have the time to implement it, now that I'm starting fresh I wanted to start using the gem to optimize and use what the gem has to offer, since I really liked it.
Anyway, my issue is, for security reasons since I will be passing parameters through mobile I will be encrypting the password to pass it to my application, and then with that encrypted password I will encrypt it once again to compare it to the encrypted password, so what I wanted was a way to encrypt the password before devise encrypts it, that way when the mobile app passes the encrypted password it will match to the previous encryption.
I tried a before_save on the Model, without luck, it just saved the encrypted_password empty, I'm not sure why.
tl;dr I need to encrypt before the gem, tried to do it with before_save/before_create on the model but it didn't work, anyone knows any way to do it?
Consider the following fact: If you encrypt the password before sending it with a method which allows you to decrypt it at server level, then this means your method is not one-way and the password sent may be decrypted by other person using a middle-man attack. Then you are not safe at all.
It is much better to use HTTPS/SSL to send this kind of sensitive data. It encrypts all you send at transport level and does this in a way better than anything you can implement by yourself, no offense meant.
I've completed several tutorials of different length and difficulty, a few of them building a custom authentication system from scratch. Most times I seem to find the following way of encrypting the password.
rails generate model User name:string email:string
and then
rails generate migration add_password_digest_to_users password_digest:string
Which produces a hashed password the the development database, when viewed, instead of the password (password1) it shows something like RFTER4dr3wxMnei instead.
Is it possible to add other attributes to the user via this method? For example, if I had two authentication methods (enter username and password) then (enter memorable information) could they both be encrypted using the same method?
or how, in theory, (and if possible) could you use it to encrypt all of the user's data (their name, email, date of birth, password etc)
This is not encryption, it is crystallographic hashing. A hash function is a function that produces a unique output for every input, from which it is impossible (theoretically) to reconstruct the input (short of a brute force attack, or something like a hash table).
Hash functions are perfect for authentication, because it means that you are not actually storing the password. You only store something the you can confirm the correctness of the password with. Every time someone logs in, the password given is hashed using the same algorithm, and the hashes are compared. This way, if someone breaks into your database, they can't actually get the passwords.
Information that you actually need to access, not just verify (you need to verify password, but access DoB, username, etc.) can be encrypted, but then you need to figure out how you are dealing with keys and such, because if someone can steal the encrypted information from the same place as the key, it's effectively pointless.
Worth mentioning: while it's great for learning, don't implement your own authentication systems in production unless you have too. Either use some open source code that has been reviewed by security experts, or use third party authentication that is trusted and secure (Log in with Google, OpenID, Oauth, Log in with Facebook, etc.)
I have a postgres database running at heroku. In the database I store passwords using bcrypt. The app is a Ruby on Rails 3 app using custom authorization. The authorization is using the rails method has_secure_password for the passwords.
I have planned to move my app to a VPS instead.
Will all my users passwords still be working after moving the database? I'm asking this because I'm not sure how the passwords are salted. Is the method used to crypt the passwords not tied to the database server in any way?
Source - bcrypt-ruby
"Hash algorithms take a chunk of data (e.g., your user‘s password) and
create a "digital fingerprint," or hash, of it. Because this process
is not reversible, there‘s no way to go from the hash back to the
password."
Assuming your storing a password hash and salt as a string then you will be able to store this in any data store. Take a look in db/schema and you will probably find that you are doing this.
Recently I have changed my authentication system to devise. I want to migrate my existing user data to this new system. Previous one was using SHA256 hash to save password. As I know this encryption is one way so in that case what will be the best way to migrate users data to new system. Devise support SHA512 encryption as well but not SHA256 as I know.
Simply upping the hash size isn't buying much security. Please read up on intreated hashes and salting.
Traditionally, you upgrade a password upon the user changing their password. The type of password is either stored with the password (common format: $type$salt$hashpassword), or in an adjacent column, allowing you detect which algorithm to use.
Whether you force users to change their password is your choice.
When a user enters their password (logs in), you can create a devise account for them automatically. That's probably the easiest way to migrate.
As the title says: how can I use the Restful Authentication Plugin with Ruby on Rails. When I want to create a new user, it requires me to set the (wrong-named, confusing field) login (= username), email address and password. However, I want, like Facebook does, to require the user to enter only an email address and password, not a username. People will also login with this email address.
Can anyone help me?
Can you hash the email to a unique user-name and just never expose the field to the user?
Restful Authentication includes generators that set up your models and migrations. You're free to edit those as you see fit.
You would just need to edit the validations in the User model for the login field. I'm not sure if the default users table migration include :null=>false for the login field, but that's a simple fix as well.
Set the username and email to the same value?
What BlueRaja says, or use authlogic, which can easily be modified to support what you are trying to achieve.
Also, if you're going to do this, why not go the next step and support OpenId? It's available as an addon to authlogic.
I forked a version of restful auth and modified it to not use usernames. Not thouroughly tested with all options but it passes the tests. Check it out if you want: https://github.com/jamiequint/restful-authentication