billv wrote in post #1018052:
I'm using the has_secure_password function in my Rails 3.1 model. I
need to verify that the passwords are unique. The has_secure_password
function stores the password in a bcrypt hash. It appears the hashes
are created with a salt unique to the record, therefore the hash is
unique even for the same password. Does anyone know a way around
As an example. If I create two users with the username "user" and the
password "password", the saved password_digest for each will be
different. Because I don't store the password itself, I can't check
to be sure the passwords are unique.
So you are proposing to significantly reduce security of your passwords
in order to ensure that two users don't happen to use the same password?
Sounds counterproductive to me.
Do you understand the reason, and security advantage, of salted hashes?
What you need to worry about is making sure your users use strong
passwords, not whether two users use the same one.
Bottom line is that a lot of thought, by some really smart people, came
up with the techniques used for securing computer systems. If you try to
outthink them, chances are likely that you'll end up lessening the
security of your system not strengthening it.