I'm creating a web application that requires the user to sign up and login, and I'm encrypting the password with a salt using the bcrypt library included as a gem.
gem 'bcrypt-ruby', :require => 'bcrypt'
The username, password, and salt get stored in the database. I'm planning to make a C API that supplements my web application, but I want the users to login first. So I want to make a function in C that checks if the username and password exists on the database which requires bcrypt to hash the password again to see if it matches. I was wondering if I could use the bcrypt library included in this link http://www.openwall.com/crypt/ to do that.
I'm using the library but I'm unsure if it's working or not because I am unsure if the hashing algorithms are the same.
Are all bcrypt hashing algorithms the same? Is bcrypt-ruby compatible with openwall's crypt blowfish?
Related
I'm beginner with Rails 5, i would appreciate your help.
I have an user model, where obviously save a password for the user for a possible login.
The thing is i want to set the password automatically based on a text_field called identification_number.
Everything I've read is about doing it with Devise gem, but I'm not using it and also don't want to.
Once again, thanks for your help.
The password field is just another string field called :identification_number for your case.
But, saving password in the DB as plain strings is highly unrecommended.
There are a lot of security issues if you save the passwords as plain strings on your database.
Some of them are that:
You have full access on the passwords of your users
If someone, somehow manages to access your database they will also have full access to the passwords of your users.
In order to avoid these issues, most of the applications save the password strings as encrypted strings with some kind of salt for enhanced entropy.
With a quick google search I found some relevant blog posts that can help you build the password encryption from scratch, such as:
Without using a gem:
https://www.sitepoint.com/rails-userpassword-authentication-from-scratch-part-i/
Using some gems:
http://railscasts.com/episodes/250-authentication-from-scratch?view=asciicast
Apart from that, the password is not an identification_number. I would not use that name. The password is not used to identify the user. The id is most of the time the identification number. Better just call it :password. Also, it does not need to be a text field, it shouldn't be that long.
You can use bcrypt gem for implementing the secure password.
The bcrypt ruby gem provides you with has_secure_password method. The has_secure_password method encrypts passwords by hashing and salting the passwords and generate ‘password_digest’.
you can refer this link for more info
I am using rails active admin gem and BCrypt Gem. Now I want to decrypt all users password.How can I do this?
Thanks your support!!
You can't, because bcrypt is a password hashing function, not an encryption.
That is the whole point of using bcrypt.
As I can understand from your comments you want to migrate an existing app in PHP to Rails.
You cannot decrypt the password and get the plain text.
So you need to first find out the encryption mechanism used in the PHP app. If you can't find that out from your codebase then you can follow these steps:
Create a user from your PHP app. Set the password as test.
Get the encrypted password from the database.
Go to BCrypt Calculator and check if test matches the encrypted password.
If it matches then your PHP app is using BCrypt and moving over to Rails using BCrypt will be fine.
I'm trying to migrate a ruby on rails app to django, and got stuck with the fact that the RoR app is encrypting the user passwords in 2 feilds, crypted_password and password_salt, in addition the persistence_toke, so is there any play around to replace this with just a simple md5 hashed passwords without resetting the passwords of all users?
You need the password in plain text to store it hashed (with MD5 or any other algorithm). That said: You would need to restore the user's password from the current bcrypted version. And to avoid the possibility of a decryption is exactly the reason why bcrypt exists.
Therefore that answer is: No, you cannot do that without your user's help.
Btw MD5 is considered unsecure. You should try hard to get the bcrypt version working with Django.
I am new to Ruby on Rails 4 and I started with the tutorial http://ruby.railstutorial.org/ruby-on-rails-tutorial-book and in this tutorial fo user's signup 'bcrypt' is used, however for my project I would like to have more options like email confirmation, password reset etc..So my question is, can I achieve all of this using existing rails 4 without any gems or do I need to use the 'devise' as suggested by some others in stack overflow. Also, can I use 'devise' gem along with 'bcrypt'?
Short answer: Devise isn't required. You can write all the authentication / email confirmation / password reset logic yourself. There's nothing inherently 'magical' about Devise, it's just a well-written solution to a common problem.
However...
Writing a complete (and secure) authentication system isn't an easy task. I'd recommend working through the tutorial and letting it guide you through writing your own authentication system there.
Then you'll be in a better position to understand how web app authentication works and whether or not to use Devise.
FYI, Devise already uses bcrypt, as seen on its gemspec:
s.add_dependency("bcrypt-ruby", "~> 3.0")
I have a postgres database running at heroku. In the database I store passwords using bcrypt. The app is a Ruby on Rails 3 app using custom authorization. The authorization is using the rails method has_secure_password for the passwords.
I have planned to move my app to a VPS instead.
Will all my users passwords still be working after moving the database? I'm asking this because I'm not sure how the passwords are salted. Is the method used to crypt the passwords not tied to the database server in any way?
Source - bcrypt-ruby
"Hash algorithms take a chunk of data (e.g., your user‘s password) and
create a "digital fingerprint," or hash, of it. Because this process
is not reversible, there‘s no way to go from the hash back to the
password."
Assuming your storing a password hash and salt as a string then you will be able to store this in any data store. Take a look in db/schema and you will probably find that you are doing this.