RubyFlow : Ruby Community Link Blog

Comments

“” This is not cryptographically sound. It uses a fast has (SHA1) rather than a password hash, such as bcrypt. Therefore, passwords can be reversed with rainbow tables. It doesn't use a random number to salt the password. It even stores password data on the users's system.

And it isn't technically databaseless. It actually uses the source code as a database.

Always use random numbers as cookie values. Always use random numbers to generate password hashes. Always use slow hashes for password hashing.n - March 08, 2010 19:33

“” I'll get flagged as a troll for saying this but this is another example of poor code being posted here. There are too many problems with this to list so I'll just say be safe and stay away.ANonymousCritic - March 09, 2010 18:11

“”

n:
Thanks for your comments. I've had an interesting time reading up on rainbow tables and slow vs fast hashing schemes. I've updated the gist to use salts and bcrypt. As far as the cookie value, the problem is storing the cookie value server-side (for an app without a database). Nothing comes to mind about how to get around this, but I'm open to suggestions.

ANonymousCritic:
I cannot respond to criticism that amounts simply to "this sucks." I'm definitely open to (hopefully constructive) criticism if you have something specific to say. rellik - March 17, 2010 04:49

“”

Post a Comment

Note: If you are a registered user, you can log in to populate these fields.

Name / Byline (required)

You may use ONLY these HTML tags to format your comment:
<a href="" title=""> <b> <blockquote> <code> <em> <i> <strong>
Do NOT use <p> tags. Just use newlines :-)

c

V bum

l

a

U willy

s

s

I willy

e

x

C tits

e

O tits

c

e

H tits

q

l

Enter the letters shown above: