Mel Riffe
unread,Feb 20, 2012, 10:46:56 AM2/20/12Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to auth...@googlegroups.com
Howdy Everyone,
I'm starting to work in a requirement for a client that wants to keep people from using the same password over and over; they've stated the requirement that a password can only be used once in a year's timeframe.
I know this isn't directly supported by Authlogic; it's not even specific to Authlogic. But, I figured: since we're using Authlogic and I don't want to store plain text passwords and I need a way to compared encrypted passwords, why not see if Authlogic can help me out.
Background: This is for a Rails 2.3.x app and I'm using Authlogic 2.1.6. Unfortunately I'm not in a position to upgrade to a newer version of Rails.
The general approach I'd like to take is:
* create a HistoricalPassword model; define a has_many :historical_passwords on User (crypted_password, user_id, timestamps)
* encrypt the password when HistoricalPassword is instantiated
* create a validation that verifies the new password hasn't been used since 'password_changed_at' - 1.year
Questions:
1) After perusing the code it looks like a new password_salt is generated when ever a new password is set. Is this true? I have a feeling this will come into play when I'm comparing passwords.
2) How do I gain access to the default crypto without going directly to it?
3) Is there anything I should be considering or that I'm missing?
Thanks, in advance, for any help I receive!
Cheers,
Mel