#39 new
take_tk

password_digest @ authenticated_generator.rb

Reported by take_tk | February 5th, 2009 @ 12:28 AM

I think following password_digest method is not so much secure, because once a cracker find "xx--xx--pp--xx" pattern, there is the row password in it.

def password_digest(password, salt)
  digest = $rest_auth_site_key_from_generator
  $rest_auth_digest_stretches_from_generator.times do
    digest = secure_digest(digest, salt, password, $rest_auth_site_key_from_generator)
  end
  digest
end

Do not use password or salt in the loop.

(A)

def password_digest(password, salt)
  digest = secure_digest(salt, password, $rest_auth_site_key_from_generator)
  $rest_auth_digest_stretches_from_generator.times do
    digest = secure_digest(digest, $rest_auth_site_key_from_generator)
  end
  digest
end

Moreover, it it better not to use same site-key, because once a cracker find "xx--ss" pattern, there is the site-key, a hint of next crack.

(B)

def make_token
  secure_digest(Time.now, (1..10).map{ rand.to_s })
end
 # vvvv
 # returns array of tokens
def make_token
  Array.new($rest_auth_digest_stretches_from_generator){
     secure_digest(Time.now, (1..10).map{ rand.to_s })
  }
end

REST_AUTH_SITE_KEY         = '<%= $rest_auth_site_key_from_generator %>'
  # vvv [ xxx, xxx, xxx, ... ]
REST_AUTH_SITE_KEYS        = <%= $rest_auth_site_key_from_generator.inspect %>

def password_digest(password, salt)
  digest = secure_digest(salt, password)
  $rest_auth_site_keys.each do |key|
    digest = secure_digest(digest, key)
  end
  digest
end

No comments found

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Restful Authentication Generator

This widely-used plugin provides a foundation for securely managing user
authentication:
* Login / logout
* Secure password handling
* Account activation by validating email
* Account approval / disabling by admin
* Rudimentary hooks for authorization and access control.

http://github.com/technoweenie/restful-authentication/tree

People watching this ticket

Pages