Encryption-Decryption in Rails
Solution 1
SHA1 is a one way function you can't reverse it.
This may be of interest re password resets: http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic/
If you want to do encryption/decryption then you should use something like AES. Once you start using encryption/decryption, however, you'll also have to start worrying about key management too.
Regarding your comment to the OP below - if you are going to to be storing CC info, I would advise you get a security person in who knows about crypto, key management etc and who also understands the relevant legal and regulatory aspects.
Solution 2
don't encrypt a password. instead, stored the hash of a password (better with a salt).
to forget a password usually means (re-)authentication via another channel, say, an email notification of password reset.
watch http://railscasts.com/episodes/209-introducing-devise if you need something already pre-built.
edit: if you really need encryption, google "openssl ruby"
there is never a simple solution for secure work. how good your implementation is determined by the weakness link.
so, my recommendation is, don't count on a short answer on SO ;-)
Solution 3
As Horace Ho explained, you should never encrypt a password but always store a crypted salt.
However, it's perfectly fine to crypt other kind of data, such as confidential information. Encryptor it's a simple but powerful wrapper for OpenSSL. It provides the ability to encrypt/decrypt attributes in any class.
Solution 4
Look at the ezcrypto gem: http://ezcrypto.rubyforge.org/
There's also the crypt gem, look at Blowfish : http://crypt.rubyforge.org
Solution 5
To do two-way encryption on other database fields checkout the attr_enrypted gem
https://github.com/shuber/attr_encrypted
But as others mentioned you wouldn't want to do this on a password. Passwords should be stored one way. For forgotten password functionality you usually email them an impossible-to-guess url that would let them choose a new password.
There is an example here: http://railscasts.com/episodes/274-remember-me-reset-password?view=asciicast
Salil
I'm a software engineering graduate from Nagpur University (BE) with good academic standing and strong professional experience. 12 year experience in Ruby, Ruby on Rails. Profound knowledge of working with dynamic and database-driven websites and services. Very solid understanding of Web 2.0 technologies HTML, XML, CSS, jQuery, jQuery-UI, Ajax and JavaScript. Knowledge of distributed revision control system like Git. Experience working with like PostgreSQL and MySQL database. Experience in Elastic Search Engine. Knowledge of NoSQL such as MongoDB. Experience with Agile, Iterative, and Test-Driven Development methods
Updated on July 21, 2022Comments
-
Salil almost 2 years
I am using
require 'digest/sha1'to encrypt my password and save into database. During login I authenticate by matching the encrypted password saved in database and again encrypted the one use enter in password field. As of now everything works fine but now I want to do 'Forgot Password' functionality. To do this I need to decrypt the password which is saved in database to find original one. How to decrypt usingdigest/sha1? Or does anyone know any algorithm which supports encryption & decryption as well?I am using ruby on rails so I need Ruby way to accomplish it.