[Rails] Re: has_secure_password hashes always unique

billv wrote in post #1018052:
> I'm using the has_secure_password function in my Rails 3.1 model. I
> need to verify that the passwords are unique. The has_secure_password
> function stores the password in a bcrypt hash. It appears the hashes
> are created with a salt unique to the record, therefore the hash is
> unique even for the same password. Does anyone know a way around
> this?
>
> As an example. If I create two users with the username "user" and the
> password "password", the saved password_digest for each will be
> different. Because I don't store the password itself, I can't check
> to be sure the passwords are unique.

So you are proposing to significantly reduce security of your passwords
in order to ensure that two users don't happen to use the same password?
Sounds counterproductive to me.

Do you understand the reason, and security advantage, of salted hashes?

What you need to worry about is making sure your users use strong
passwords, not whether two users use the same one.

Bottom line is that a lot of thought, by some really smart people, came
up with the techniques used for securing computer systems. If you try to
outthink them, chances are likely that you'll end up lessening the
security of your system not strengthening it.

--
Posted via http://www.ruby-forum.com/.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.