Working With Rails

Hi Anas

I don’t think the passwords encrypted using Digest/sha2 can be retrieved

Please refer

http://crypt.rubyforge.org/blowfish.html

http://blog.leetsoft.com/2006/03/14/simple-encryption

SHA is one-way encryption – you can’t convert it back to the plain string. However, you can always compare the encrypted value with some user input … Most authentication plugins in Rails do it like that, e.g. acts_as_authenticated …

# in the SessionController:
self.current_user = User.authenticate(params[:login], params[:password])

# somewhere in the User model:
def self.authenticate(login, password)
  u = find :first, :conditions => ['login = ? and activated_at IS NOT NULL', login] # need to get the salt
  u && u.authenticated?(password) ? u : nil
end

def self.encrypt(password, salt)
  Digest::SHA1.hexdigest("--#{salt}--#{password}--")
end

def encrypt(password)
  self.class.encrypt(password, salt)
end

def authenticated?(password)
  crypted_password == encrypt(password)
end

If you need some kind of “forgot password” functionality, the best idea would be to provide a way to reset the user password. You then create a new random string, encrypt it and send it to the user to log in. After that, they can change the password to anything they want.

HTH

It is worth noting the reason for using a one way hash like sha2. You are adding an extra layer of protection in case your database is compromised. So, short of a brute force attack, there is no way to get the original password from the hash. As the previous poster shows, you authenticate the user by computing a hash of the clear password as typed by the user and compare it with the hash in the database. You do not try to reverse the hash and compare it with the clear password.

thank you Balaji & Clemens Kofler … for giving detailed information