Re: [devise] How does Devise encrypt passwords? How do I change the way Devise encrypts passwords?
15,040 views
Skip to first unread message
Rafael Mendonça França
Jul 15, 2012, 2:44:26 PM7/15/12
to plataforma...@googlegroups.com
Look at this file to see how Devise encrypt passwords.
And look at this project to see how to change it.
Rafael Mendonça França
http://twitter.com/rafaelfranca
https://github.com/rafaelfranca
http://twitter.com/rafaelfranca
https://github.com/rafaelfranca
On Sun, Jul 15, 2012 at 3:06 PM, Benjamin Lei <benle...@gmail.com> wrote:
How does Devise encrypt passwords? Is it something like:
crypt(crypt(password ) + salt)
or something alike?How do I change the way Devise encrypts passwords?
Benjamin Lei
Jul 15, 2012, 3:01:30 PM7/15/12
to plataforma...@googlegroups.com
I'm sort of new to ruby, so I'm not sure whats really happening. I also haven't used Devise yet, but am considering it.
It almost looks like, to me, that Devise encrypts passwords as:
crypt(password+salt)
crypt(password+salt)
or something like that. Do I need to install devise-encryptable in order to change their method of encryption? Or is it possible to edit it from Devise-generated ruby files?
Rafael Mendonça França
Jul 15, 2012, 3:07:23 PM7/15/12
to plataforma...@googlegroups.com
It is possible but not recommended. You can override the methods in your model. I strongly recommend to you use the default Devise encryptor that uses BCrypt.
Benjamin Lei
Jul 15, 2012, 3:52:40 PM7/15/12
to plataforma...@googlegroups.com
Well, I'm not trying to not use BCrypt. I'm trying to further encrypt the password than it already is. For example, maybe encrypt the password 100 times, or rearrange the way Devise encrypts the password (e.g. crypt(crypt(crypt(pass) + crypt(salt)) + crypt(crypt(password)))); something like that.
Andrés gutiérrez
Jul 15, 2012, 3:54:23 PM7/15/12
to plataforma...@googlegroups.com
Nistor Andrei
Jul 15, 2012, 4:00:55 PM7/15/12
to plataforma...@googlegroups.com
On Sun, Jul 15, 2012 at 10:52 PM, Benjamin Lei <benle...@gmail.com> wrote:
Well, I'm not trying to not use BCrypt. I'm trying to further encrypt the password than it already is. For example, maybe encrypt the password 100 times, or rearrange the way Devise encrypts the password (e.g. crypt(crypt(crypt(pass) + crypt(salt)) + crypt(crypt(password)))); something like that.
BCrypt has a weight factor, so point one is accomplished. As for the second, why on earth would you do that?
Benjamin Lei
Jul 15, 2012, 4:10:55 PM7/15/12
to plataforma...@googlegroups.com
I see. Well, the idea is to make things more difficult to crack passwords. Though the iterative method of encryption can be used, I personally think that things needs to be 'scrambled' for further, better encryption.
Benjamin Lei
Jul 15, 2012, 7:36:20 PM7/15/12
to plataforma...@googlegroups.com
By the way, whats the default weight factor for Devise and how does one change it?
On Sunday, July 15, 2012 1:00:55 PM UTC-7, Andrei Nistor wrote:
On Sunday, July 15, 2012 1:00:55 PM UTC-7, Andrei Nistor wrote:
Nistor Andrei
Jul 15, 2012, 8:00:37 PM7/15/12
to plataforma...@googlegroups.com
On Mon, Jul 16, 2012 at 2:36 AM, Benjamin Lei <benle...@gmail.com> wrote:
By the way, whats the default weight factor for Devise and how does one change it?
config.stretches in the config/initializers/devise.rb. default is 10 iirc.
I don't see any benefit in "scrambling". If you use a reasonable number of stretches, salt and pepper you should be fine.
I don't see any benefit in "scrambling". If you use a reasonable number of stretches, salt and pepper you should be fine.
Carlos Antonio da Silva
Jul 15, 2012, 8:29:44 PM7/15/12
to plataforma...@googlegroups.com
TLDR: Use BCrypt, increase stretches (only if you really want to - also makes things slower, defaults to 10 I think), and make sure password length is at least 8 chars (or more - 8 is the default in devise master, it was 6).
For more:
And search the mailing, there was a discussion these days about something similar, and a good link to a related blog post. (sorry I can't find it now, my internet is not helping)
Hope this helps.
At.
Carlos Antonio
On Sunday, July 15, 2012 at 9:00 PM, Nistor Andrei wrote:
If
Tom Harrison
Jul 16, 2012, 12:00:57 PM7/16/12
to plataforma...@googlegroups.com
Benjamin -- for test only, Devise uses a "stretch" of 1 for bcrypt, otherwise the default is 20, and this makes for a very, very, very strong password (both one that is repeatedly re-encrypted, and one that uses a purposely slow algorithm making cracking take an exceptionally long time). You can change the stretch value in app/initializers/devise.rb. You might also want to make the minimum password length 8 or more.
As others have said, I also encourage you to use the exceptionally good methods employed by Devise for security for defaults, in particular sticking with bcrypt. These guys know their stuff and have done the work that everyone else writing websites should do.
Let their expertise in this specific area allow you to focus on securing other aspects of your installation -- strong systems passwords, firewalls, close unneeded ports, make sure other credentials are not in source control, etc. I formerly worked with a guy who was a so-called security expert who thought that doing magic with encryption would make his systems impenetrable. But he failed to put a password on his database root user and then (!) opened the port for the database to the public. If he had stepped back and used common sense, he would have realized that a huge lock on a weak door is no lock at all. In working in this business for a while, I have seen this pattern a lot. It's frightening, to be honest.
Tom
Reply all
Reply to author
Forward
0 new messages