#7 ✓resolved
Peter Zingg

Best practice for password strategies

Reported by Peter Zingg | November 16th, 2008 @ 02:15 PM

I am using authlogic in an application (just a shell right now). A couple of things I wanted to do, but not sure I did in the most efficient way:

  1. support for multiple openID identities
  2. support for case-insensitive passwords
  3. support for different strategy for generated passwords
  4. support for lost password, etc.
  5. support for tokens shorter then 128 characters, especially when used in email activation messages

To get things working I did what I think are a couple of hacks: I had to create an empty "AuthenticatedSystem" module and had to stub out a few method in my user class to get the open_id_authentication plugin to load.

And I had a little frustration in the case-insensitive password. Ideally I would just use authlogic's configuration to override the valid_password method, but I also want to take control of the storing of the password at create time. Please see:

http://github.com/pzingg/baseapp...

for my user class, with very non-DRY overrides of

User#password= User#valid_password? and User#reset_password!

and what I did to truncate authlogic's unique_token in

User#make_activation_code User#make_password_reset_code

The other thing I did was alias_method :make_token, :unique_token to be name-compatible with the restful_authentication stubs.

I'm sure you could add configuration options that would make this password stuff configurable, or maybe I missed a clean way of doing it with the existing configuration possibilities.

Comments and changes to this ticket

  • Ben Johnson

    Ben Johnson November 16th, 2008 @ 02:25 PM

    • State changed from “new” to “open”

    Hi Peter,

    Thanks for posting this. I'll answer these in order:

    1. I plan to make a post about OpenID. I really don't think I am going to build in support for this directly into Authlogic. I actually spent a good amount of time working on OpenID for Authlogic and then decided to scrap it. I have very good reasons for this and plan to make a blog post about it. The plugins out there that already conquer the open id challenge are great and can integrate in with Authlogic very easily. I actually integrated open id support into one of my apps with authlogic in under 10 minutes using the open_id_authentication plugin.

    2. Supporting case insensitive passwords should be easy to add in, I could probably add that in rather quickly. It would only be to the extent of "did the password they typed match?" and "if i downcase their password will it match?". That's about the extent of it. I don't think its smart to modify the raw password in the database at all. The password in the database should represent what they typed.

    3. I'm not sure what you mean by this, but I do have a reset_password and reset_password! method that resets the password to a "friendly" password. Do you mean a different way to create "friendly" passwords?

    4. I am going to release an update today with support for this, as well as a tutorial on my blog explaining it.

    5. This is already added: User.friendly_unique_token, this is what the reset password token will use.

    After I release the update I'll let you know and you can see what I left out.

    Thanks!

  • Ben Johnson

    Ben Johnson November 16th, 2008 @ 04:12 PM

    • State changed from “open” to “resolved”

    I released the update, check out the changelog. A lot of what you mentioned here was added in. Let me know if you have any other issues.

  • jimmy1

    jimmy1 December 30th, 2018 @ 04:21 PM

    Thanks for sharing.I found a lot of interesting information here. A really good post, very thankful and hopeful that you will write many more posts like this one.
    quickpayportal.me

  • Apkrefer

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.

People watching this ticket

Pages