Rails 3 / Devise:不再创建密码盐?
我已经在一个项目上工作了一段时间,该项目使用 Devise 进行用户身份验证。每当创建用户时,它都会为他们生成密码盐及其加密密码。
当我进入这个项目的尾声时,我正在测试用户注册,并注意到我的新角色没有在数据库中为这些新用户创建密码盐,而我的旧用户都有盐。新用户可以正常登录,但我担心为什么 Devise 不再创建盐。
我遇到的 Devise 唯一的奇怪之处是当我升级模块时,并记得日志中提到删除可加密的内容,因为 bcrypt 现在是默认加密,或者类似的内容。我这样做了......不确定这是否与当前问题有关。
另外,考虑到可能是我的项目被盗了,我从头开始创建了一个全新的 Rails 应用程序,并向其中添加了 Devise,甚至这个新项目也没有为用户创建盐。
Devise 中是否有一种设置密码盐的新方法,或者有人知道为什么不再创建盐?不幸的是,Devise wiki 在这个主题上没有太多可说的,而且到目前为止,谷歌搜索一直没有结果。
或者...是否有必要首先添加盐?我认为拥有它们似乎更安全。
我的用户/设备配置如下。
config/initializers/devise.rb
Devise.setup do |config|
config.mailer_sender = "[email protected]"
require 'devise/orm/active_record'
config.authentication_keys = [ :login ]
config.stretches = 10
config.encryptor = :bcrypt
# Setup a pepper to generate the encrypted password.
config.pepper = "79c2bf3b[...]"
end
app/models/user.rb
devise :database_authenticatable, :registerable, :confirmable,
:recoverable, :rememberable, :trackable, :validatable
UPDATE
我能够找到 Devise 升级后的通知,其中读...
[DEVISE] From version 1.2, there is no need to set your encryptor to bcrypt since encryptors are only enabled if you include :encryptable in your models. To update your app, please:
1) Remove config.encryptor from your initializer;
2) Add t.encryptable to your old migrations;
3) [Optional] Remove password_salt in a new recent migration. Bcrypt does not require it anymore.
因此,如果您坚持使用 bcrypt,password_salt 似乎已被弃用,这解释了为什么不再创建它。所以这回答了这个问题,但我的问题的另一部分仍然存在......这是一个足够好的做法还是我应该使用除 bcrypt 之外的另一种加密?
I've been working on a project for a while now which uses Devise for user authentication. Whenever a user was created, it would generate a password salt for them along with their encrypted password.
As I'm coming to the tail end of this project, I was testing user registration and noticed that my new roles were not creating a password salt in the database for these new users, whereas my older users all had salts. The new users can sign in fine, yet I'm concerned why Devise is no longer creating salts.
The only oddity with Devise I encountered had to do when I upgraded the module and remember the logs saying something about removing encryptable as bcrypt is now the default encryption, or something to that effect. Which I did so...not sure if this has anything to do with the current issue.
In addition, thinking maybe it was my project that was pooched, I created a brand new Rails application from scratch and added Devise to it, and even that new project isn't creating salts for users.
Is there a new way in Devise to set up password salts, or does anyone know why the salts aren't being created anymore? Unfortunately the Devise wiki doesn't have a whole lot to say on the subject, and Google has been a fruitless search so far.
Or...is it even necessary to have salts in the first place? Seems more secure to have them, I would think.
My config of users/devise is below.
config/initializers/devise.rb
Devise.setup do |config|
config.mailer_sender = "[email protected]"
require 'devise/orm/active_record'
config.authentication_keys = [ :login ]
config.stretches = 10
config.encryptor = :bcrypt
# Setup a pepper to generate the encrypted password.
config.pepper = "79c2bf3b[...]"
end
app/models/user.rb
devise :database_authenticatable, :registerable, :confirmable,
:recoverable, :rememberable, :trackable, :validatable
UPDATE
I was able to locate the notice from after Devise was upgraded, which reads...
[DEVISE] From version 1.2, there is no need to set your encryptor to bcrypt since encryptors are only enabled if you include :encryptable in your models. To update your app, please:
1) Remove config.encryptor from your initializer;
2) Add t.encryptable to your old migrations;
3) [Optional] Remove password_salt in a new recent migration. Bcrypt does not require it anymore.
So it appears that the password_salt is deprecated if you stick with bcrypt, which explains why it's not created anymore. So that answers that, but the other part of my question still remains...is this a good enough practice or should I go with another encryption besides bcrypt?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
新版本的 devise 使用加密密码字段的字符 0 到 29 作为盐,并使用该数据库字段中的其余字符作为加密密码。所以你的密码实际上仍然是用 BCrypt 加密的。
The new version of devise uses characters 0 to 29 of the encrypted password field as the salt and the remaining characters in that database field for the encrypted password. So your passwords are actually still salted with BCrypt.
何塞·瓦利姆表示:
Per José Valim: