Skip to content
Browse files

BCrypt does its own salting, lovely!

  • Loading branch information...
1 parent 39b5ea6 commit bd9dc4ff23ab1e185df6ccf35d6058c0a3d234ce @dhh dhh committed Dec 18, 2010
Showing with 22 additions and 12 deletions.
  1. +11 −12 activemodel/lib/active_model/secure_password.rb
  2. +11 −0 activemodel/test/cases/secure_password_test.rb
View
23 activemodel/lib/active_model/secure_password.rb
@@ -4,17 +4,19 @@ module ActiveModel
module SecurePassword
extend ActiveSupport::Concern
+ WEAK_PASSWORDS = %w( password qwerty 123456 )
@tenderlove
Ruby on Rails member
tenderlove added a note Dec 19, 2010

What about omgwtfbbq? O_O

@geoffgarside
geoffgarside added a note Dec 19, 2010

Theres a list of commonly used passwords at http://www.searchlores.org/commonpass1.htm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+
module ClassMethods
- # Adds methods to set and authenticate against a SHA2-encrypted and salted password.
- # This mechanism requires you to have password_digest and password_salt attributes.
+ # Adds methods to set and authenticate against a BCrypt password.
+ # This mechanism requires you to have a password_digest attribute.
#
# Validations for presence of password, confirmation of password (using a "password_confirmation" attribute),
- # and strength of password (at least 6 chars, not "password") are automatically added.
+ # and strength of password (at least 6 chars, not "password", etc) are automatically added.
# You can add more validations by hand if need be.
#
# Example using Active Record (which automatically includes ActiveModel::SecurePassword):
#
- # # Schema: User(name:string, password_digest:string, password_salt:string)
+ # # Schema: User(name:string, password_digest:string)
# class User < ActiveRecord::Base
# has_secure_password

Maybe this is a too beginer question but, do this line free me from writting it on my app/models/user.rb file?

@steveklabnik
Ruby on Rails member
steveklabnik added a note Mar 20, 2013

No.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
# end
@@ -33,7 +35,7 @@ def has_secure_password
attr_reader :password
attr_accessor :password_confirmation
- attr_protected(:password_digest, :password_salt) if respond_to?(:attr_protected)
+ attr_protected(:password_digest) if respond_to?(:attr_protected)
validates_confirmation_of :password
validates_presence_of :password_digest
@@ -44,7 +46,7 @@ def has_secure_password
module InstanceMethods
# Returns self if the password is correct, otherwise false.
def authenticate(unencrypted_password)
- if BCrypt::Password.new(password_digest) == (unencrypted_password + salt_for_password)
+ if BCrypt::Password.new(password_digest) == unencrypted_password
self
else
false
@@ -54,18 +56,15 @@ def authenticate(unencrypted_password)
# Encrypts the password into the password_digest attribute.
def password=(unencrypted_password)
@password = unencrypted_password
- self.password_digest = BCrypt::Password.create(unencrypted_password + salt_for_password)
+ self.password_digest = BCrypt::Password.create(unencrypted_password)
end
- private
- def salt_for_password
- self.password_salt ||= self.object_id.to_s + rand.to_s
- end
+ private
def password_must_be_strong
if @password.present?
errors.add(:password, "must be longer than 6 characters") unless @password.size > 6
- errors.add(:password, "can't be 'password'") if @password == "password"
+ errors.add(:password, "is a too weak and common") if WEAK_PASSWORDS.include?(@password)
@asanghi
asanghi added a note Dec 19, 2010

not "is a too weak and common" but "is too weak and common"

@bbhoss
bbhoss added a note Dec 19, 2010

actually I think "is insecure" more aptly describes the error.

@josevalim
Ruby on Rails member
josevalim added a note Dec 19, 2010

@bbhoss, In a technical point of view yes, but "is insecure" would be a bad message to show to an user. It doesn't reveal much.

Thanks @asanghi, I have pushed a fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
end
end
end
View
11 activemodel/test/cases/secure_password_test.rb
@@ -33,6 +33,17 @@ class SecurePasswordTest < ActiveModel::TestCase
assert @user.valid?
end
+ test "too weak passwords" do
+ @user.password = "123456"
+ assert !@user.valid?
+
+ @user.password = "password"
+ assert !@user.valid?
+
+ @user.password = "d9034rfjlakj34RR$!!"
+ assert @user.valid?
+ end
+
test "authenticate" do
@user.password = "secret"

1 comment on commit bd9dc4f

@mrrooijen

It's awesome that BCrypt handles salting.

Please sign in to comment.
Something went wrong with that request. Please try again.