7.2 secure the password

最新推荐文章于 2021-03-10 02:22:00 发布
最新推荐文章于 2021-03-10 02:22:00 发布
阅读量108 收藏
点赞数
分类专栏: ruby and rails 文章标签: 测试 数据库
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/midfinger/article/details/84044750
版权

chapter 7.2

 

again, let's start from TDD again!!!!!!!!!!!!!!

 

1. since we define the encrypt_password into private area, how do we test it????????

 

ok, we need some public interface to use it. (TDD by acting as a client, the test motivate us to design a useful interface right from the start)

 

authentication involves comparing the encrypted version of submitted password to the encreptyed_password in the database. This means we need to define a method:

 

has_password?

 

this will be public interface.

 

 

def has_password?(submitted_password)
    # to do
end

 

for the test:

 

 

describe "has_password? method" do
    it "should be true if the passwords match" do
        @user.has_password?(@attr[:password]).should be_true
    end
     it "should be false if the passwords don't match" do
        @user.has_password?("invalid").should be_false
    end
end

 

2. study some secure password theory:

 

a. instead of storing the raw password, we store a hashed password,

b. this hashed password is inreversible, this means even the hacher get the encrypted password, he can't infer the original.

c. to do the authentication, we first encrypt the submitted password, then do compare.

 

for examle, we use SHA2 to hash the password:

 

require "digest"

def secure_hash(string)

Digest::SHA2.hexdigest(string)

end

password = "secret"

encrypted_password = secure_hash(password)

submitted_password = "secret"

encrypted_password == secure_hash(submitted_password)  ======> true

 

 

Digest::SHA2.hexdigest(string)

this is one-way, it is impossible to deduce the original password from the hashed value.

 

But:

we still have a problem: if the hacker ever hold the hashed password, and he can guess we use SHA2, and write a program to compare the given hash to the hashed values of many common password, to find the original password!!

 

so we are still in a security hole!!!


how to solve it?


the answer is "salt"!!!

 

for example:

 

Time.now.utc

password = "secret"

salt = secure_hash("#{Time.now.utc}--#{password}")

encrypted_password = secure_hash("#{salt}--#{password}")

 

This password is impossible to crack!!

 

For clarity, arguments to hashing functions are often separated with "--"

 

 

3. now we are ready to implement has_password? method:

 

 

def has_password?(submitted_password)
    encrypted_password == encrypt(submitted_password)
end

 as long as the submitted password using the same salt, it will work fine.

 

 

5. we need to add a new column called salt to the users table.

 

 

rails g migration add_salt_to_users salt:string
rake db:migrate
rake db:test:prepare

 

6. finally, we will implement the full.

 

 

require 'digest'
class User < ActiveRecord::Base
	before_save :encrypt_password

	def has_password?(submitted_password)
		encrypted_password == encrypt(submitted_password)
	end

	private
		def encrypt_password
			self.salt = make_salt unless has_password?(password)
			self.encrypted_password = encrypt(password)
		end
		def encrypt(string)
			secure_hash("#{salt}--#{string}")
		end
		def make_salt
			secure_hash("#{Time.now.utc}--#{password}")
		end
		def secure_hash(string)
			Digest::SHA2.hexdigest(string)
		end
		
end

 

ok, let's run the test, it will pass:

 

rspec spec/models/user_spec.rb -e "has_password\? method"

 

 

midfinger
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
CentOS7.2本地升级openSSH7.9
菜鸡笔录
04-19 1140
一、背景: 因老版存在很多漏洞,因此需要升级到最新版本,服务器所在区域无法上网,需要离线安装所有软件和依赖包; 相关资源: https://download.csdn.net/download/gz_jax/11128971 (里面缺少gcc-c++包,自行下载添加) 二、升级openssh7.9 所有的依赖包上传服务器(我是放在/home/soft目录下) 1、先安装telnet-server ...
php7.3和php7.2,一篇文章帮你了解 PHP 7.3 更新
weixin_42126865的博客
03-10 1612
PHP 目前依旧是其它脚本语言强劲的竞争对手,这主要归功于其核心维护团队的快速更新。自从 PHP 7.0 发布以来,社区见证了许多新特性的诞生,极大地改进了开发者在项目中应用 PHP 的方式。提高 PHP 应用的性能和安全性,是这些改进的主要目的。PHP 最近实现了又一个里程碑 —— 发布 PHP 7.3。新版本带来了一些急需的更新。在本文中,我将论述新推出的 PHP 7.3 特性 和更新。好消息...
PDF Password Remover(带序列号或注册码)
09-09
PDF Password Remover(带序列号或注册码)让PDF文档可编辑,方便对PDF文档进行修订、标记颜色、做笔记等。
PDF Password Remover 5.0, 序列号请看资源描述
06-25
PDF Password Remover 5.0 最新版本,序列号,希望大家喜欢!英文版本的,好用的注册码。 67000500000056VP0067
CentOS7.2安装MySQL8.0
gangan1345的专栏
08-10 158
yum 快速下载安装mysql8.0 # sudo yum localinstall https://repo.mysql.com//mysql80-community-release-el7-1.noarch.rpm # sudo yum install mysql-community-server 8.0下载地址 https://cdn.mysql.com//Downloads/MySQL-...
php7.2编译参数,PHP7.2 版本性能介绍
weixin_42502811的博客
03-10 202
摘要:本文主要和大家详细介绍PHP7.2 版本性能,希望能帮助大家对PHP7.2有一个更清晰的认识。1. 不向后兼容的变更Core:对于封闭资源来说,gettype()函数将返回resource(closed),取代之前的unknown type。对于__PHP_Incomplete_Class类对象来说,is_object()函数将返回true。移除对Netware操作系统的支持。array类型...
centos7.2 mysql_CentOS7.2 在线安装MySQL8.0
weixin_42348026的博客
01-26 73
一、环境:CentOS7.2 64位 最小化安装二、在线安装:1、配置MySQL8.0的安装源。rpm -Uvh https://repo.mysql.com/mysql80-community-release-el7.rpm2、安装MySQL 8.0社区版服务以及客户端工具。yum --enablerepo=mysql80-community install mysql-community...
CentOS 7.2 安装MariaDB详细过程
09-09
在本文中,我们介绍了在CentOS 7.2上安装MariaDB的详细步骤,包括配置防火墙开放端口,以及使用mysql_secure_installation脚本进行数据库的安全配置。MariaDB是一个稳定可靠、功能强大的数据库管理系统,广泛应用于...
CentOS 7.2安装Zabbix 3.2教程详解
09-15
在本文中,我们将详细探讨如何在CentOS 7.2系统上安装Zabbix 3.2监控服务器。Zabbix是一款开源的企业级监控解决方案,能够监控各种网络参数以及服务器、应用程序的健康状况。在CentOS 7.2环境下,安装Zabbix涉及到多...
php7.2 mysql 教程_Linux搭建lamp(Apache+PHP+Mysql环境)centos7.2版详细教程
weixin_32479897的博客
02-08 173
一、 检查系统环境1、确认centos版本[root@localhost ~]# cat /etc/redhat-releaseCentOS Linux release 7.2.1511 (Core)2、检查是否安装过apacherpm -qa | grep httpd或者:apachectl -v或者:httpd -v3、检查是否安装过Mysqlservice mysqld start如果未被识...
6.3 make model, view, controller work together.
peryt
10-09 4622
1. let's start to console without --sandbox param to create some record into our database:     rails console User.create!(:name =&gt; "china zhang", :email =&gt; "china@china.com")  to see if t...
12.2 a web interface for following and followers.
peryt
10-28 369
1.before we do the UI, we need to populate database. we will write a rake task to do this:     namespace :db do desc "populate database" task :populate =&gt; :environment do Rake:Task["...
8.1 sign up form
peryt
10-11 332
chapter 8.1   1. let's first make a branch for the sign up chapter: git checkout -b signing-up   2. also reset the database: rake db:reset   3. we already got two basic test for new action in ...
6.2 user validations
peryt
09-13 270
1. ok, let's add validations to our models: a. name should not be blank. b. email should follow email format. c. email should be unique.   2. there are some common validations: validates pressen...
8.2 sign up failure
peryt
10-11 249
chapter 8.2   for this section, we will do this:   if a signup form has invalid submission, the app will re-render the signup page, show the error details.   1. we will do TDD again!!!   resou...
9.3 sign in success.
peryt
10-12 236
1. we will first finish the create action:   def create user = User.authenticate(params[:session][:email], params[:session][:password]) if user.nil? fl...
9.2 sign in failure
peryt
10-12 215
start from TDD!!!   1. require 'spec_helper' describe SessionsController do render_views . . . describe "POST 'create'" do describe "invalid signin" do before(:each) ...
8.3 sign up success
peryt
10-11 205
Chapter 8.3 this part, we will deal with the case that sign up success.   1. start from TDD!!!!     describe "success" do before(:each) do @attr = { :name =&gt; "New User", :em...
Discuz 7.2 数据库结构详解
“discuz7.2数据库结构表完整版”包含Discuz! 7.2这款知名论坛系统的所有数据库表及其字段的详细说明。这些表是系统运行的基础,用于存储用户信息、权限设置、活动管理等多个方面的重要数据。 1. **cdb_access** - ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值