Comments on: Ruby on Rails Password Hashing Module

By: Guy

Guy — Fri, 11 Sep 2009 15:44:24 +0000

Diego wrote: “I got an error when I use variable salt as “salt = ..”, How can I solve it?”

I just replaced that line with:
salt = “”

By: Rajat

Rajat — Sat, 18 Jul 2009 22:41:48 +0000

seems like wordpress stripped out some stuff:

validates_length_of :password, :is => 192 #this is how long the salted hashed pws should be

By: Rajat

Rajat — Sat, 18 Jul 2009 22:40:52 +0000

Thanks Zachary, very useful.

In my Model, i added a validation to make sure PWs are being salted properly:
Class User 192 #this is how long the salted hashed pws should be
end

its a handy error check. thanks again

By: Diego Soares

Diego Soares — Wed, 22 Apr 2009 13:28:25 +0000

I got an error when I use variable salt as “salt = ..”, How can I solve it?

Thanks,

Diego

By: links for 2009-03-14 « Amy G. Dala

links for 2009-03-14 « Amy G. Dala — Sat, 14 Mar 2009 14:01:54 +0000

[...] Ruby on Rails Password Hashing Module (tags: ruby rails security reference) [...]

By: valley

valley — Mon, 10 Nov 2008 14:10:30 +0000

In Password.salt what do i have to enter for salt = .. ?
Whatever i take i get an error

TypeError (can’t convert Fixnum into String):
/lib/password.rb:33:in `+’
/lib/password.rb:33:in `salt’
/lib/password.rb:9:in `update’

in Password.store, and the salt value is never 64 chars long.

By: Hugo Peixoto

Hugo Peixoto — Sat, 06 Sep 2008 04:58:34 +0000

@Thomas
Instead of before_create, you could use after_validate_on_create.

By: fophillips

fophillips — Wed, 30 Jul 2008 00:59:11 +0000

Is this code released under a specific license? I would like to use it in my project under the AGPL.

By: Zachary Fox

Zachary Fox — Fri, 11 Jul 2008 14:29:03 +0000

@Thomas

Good points. These are very simplified examples of code that is in a CMS I wrote. I actually use a before_save method to check the values of password and password_verification fields (which are submitted from a form), along with additional validations to ensure that the password is valid (length, complexity, etc…)

For multiple reasons, I haven’t provided complete examples, but enough that you can work with the password.rb lib.

I’m glad you found it useful, and I’ll look into the source files to see why the quotes aren’t working properly.

By: Thomas

Thomas — Fri, 11 Jul 2008 13:51:27 +0000

I have to comment myself:

the assignment-method works, but the cost is, you cannot validate the password (e.g. against a minimum length), because validations uses the hashed value of the password. A better approach is:

protected
def before_save
self.password = Password::update(self.password) if self.password_changed?
end

But even here, you have to validate like this:

def validate
if self.password_changed?
errors.add(”password”, “at least 10 characters”) if self.password.length < 10
end
end

since all other validation-methods will use the hashed-version of the password, when you e.g. change some other attribute but not the password.

Best regards
Thomas