password_digest @ authenticated_generator.rb
Reported by take_tk | February 5th, 2009 @ 12:28 AM
I think following password_digest method is not so much secure, because once a cracker find "xx--xx--pp--xx" pattern, there is the row password in it.
def password_digest(password, salt)
digest = $rest_auth_site_key_from_generator
$rest_auth_digest_stretches_from_generator.times do
digest = secure_digest(digest, salt, password, $rest_auth_site_key_from_generator)
end
digest
end
Do not use password or salt in the loop.
(A)
def password_digest(password, salt)
digest = secure_digest(salt, password, $rest_auth_site_key_from_generator)
$rest_auth_digest_stretches_from_generator.times do
digest = secure_digest(digest, $rest_auth_site_key_from_generator)
end
digest
end
Moreover, it it better not to use same site-key, because once a cracker find "xx--ss" pattern, there is the site-key, a hint of next crack.
(B)
def make_token
secure_digest(Time.now, (1..10).map{ rand.to_s })
end
# vvvv
# returns array of tokens
def make_token
Array.new($rest_auth_digest_stretches_from_generator){
secure_digest(Time.now, (1..10).map{ rand.to_s })
}
end
REST_AUTH_SITE_KEY = '<%= $rest_auth_site_key_from_generator %>'
# vvv [ xxx, xxx, xxx, ... ]
REST_AUTH_SITE_KEYS = <%= $rest_auth_site_key_from_generator.inspect %>
def password_digest(password, salt)
digest = secure_digest(salt, password)
$rest_auth_site_keys.each do |key|
digest = secure_digest(digest, key)
end
digest
end
No comments found
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Restful Authentication Generator
This widely-used plugin provides a foundation for securely managing user
authentication:
* Login / logout
* Secure password handling
* Account activation by validating email
* Account approval / disabling by admin
* Rudimentary hooks for authorization and access control.
http://github.com/technoweenie/restful-authentication/tree