storing encrypted passwords in the database

Hi,

I have a password column in my customer table. Right now, the scaffolding saves the passsword in plain text. If I wanted to store the password in an encrypted form, what is the easiest way of doing that?

Much thanks, - Dave

Have a look at what acts_as_authenticated/restful_authentication does.

Ditto on the plugins Ryan mentioned. It's important to note that you shouldn't store the encrypted password -- instead, you should store a salted hash, which is much more secure. There are lots of resources that discuss how and why.

I would recommend the same, except SHA256 instead of the SHA1 that restful authentication uses.

Regarding the resultful_authentication (since it seems acts_as_authenticated is deprecated), how would I configure my app so that restful_authentication uses an existing table I have (customer) with its fields (customer.username, customer.password)?

Thanks, - Dave

Those plugins generate code that you can put anywhere. If you want to keep an existing table, you could add all of restful_authentication's fields to that table and just copy the generated User model code into your Customer model. Or, it might be easier to do it the other way around.

I like this idea (doing it the other way around, that is).

I have a follow up question on the subject of encryption/salted hashes. If I want to (for lack of a better word) encrypt some of the other fields in the database, can I use the plugin(s) above to do that? Otherwise, how would you recommend I get it done?

Thanks, - Dave

You could use the same methods in those plugins. The way it works is the data is run through a one-way hashing function. You store this hash in the database. Of future requests, you must hash the user input then compare it to the hash you have in the database. It's one way though, so there is no feasible way to know what the original data was - only the hash that was derived from it. This is why most authentication systems require you to "reset" your password instead of just telling you the original - they don't know the original password.