轨道3 /设计:密码盐不再被创造出来的? [英] Rails 3 / Devise: Password salt no longer being created?
问题描述
我已经工作了一段时间的一个项目,现在它使用设计进行用户身份验证。每当用户创建,它会用自己的加密密码一起为他们生成一个密码盐。
I've been working on a project for a while now which uses Devise for user authentication. Whenever a user was created, it would generate a password salt for them along with their encrypted password.
随着我来到这个项目的尾部,我是测试用户注册,并注意到我的新角色,并没有在数据库中创建这些新用户的密码盐,而我的老用户都有盐。新用户可以在精细签字,但我很担心,为什么设计不再是创造盐。
As I'm coming to the tail end of this project, I was testing user registration and noticed that my new roles were not creating a password salt in the database for these new users, whereas my older users all had salts. The new users can sign in fine, yet I'm concerned why Devise is no longer creating salts.
与制定唯一的怪胎我遇到不得不做的时候我升级模块,并记日志说一些有关删除可加密的bcrypt现在是默认的加密,或者类似的意思。我这样做了......不知道这有什么用当前的问题。
The only oddity with Devise I encountered had to do when I upgraded the module and remember the logs saying something about removing encryptable as bcrypt is now the default encryption, or something to that effect. Which I did so...not sure if this has anything to do with the current issue.
此外,也许以为这是我的项目,该项目pooched,我创建了一个全新的Rails应用程序,从头开始,并补充制定它,甚至认为新的项目还没有为用户创造盐。
In addition, thinking maybe it was my project that was pooched, I created a brand new Rails application from scratch and added Devise to it, and even that new project isn't creating salts for users.
有没有制定一个新的方法来设置密码盐,或有没有人知道为什么没有被再创造的盐?不幸的是,制定维基不有一大堆关于这个问题说了,谷歌一直徒劳的搜索为止。
Is there a new way in Devise to set up password salts, or does anyone know why the salts aren't being created anymore? Unfortunately the Devise wiki doesn't have a whole lot to say on the subject, and Google has been a fruitless search so far.
或者...它甚至需要有盐摆在首位?似乎更安全的有他们,我想。
Or...is it even necessary to have salts in the first place? Seems more secure to have them, I would think.
我的用户配置/设计如下。
My config of users/devise is below.
配置/初始化/ devise.rb
Devise.setup do |config|
config.mailer_sender = "mail@domain.com"
require 'devise/orm/active_record'
config.authentication_keys = [ :login ]
config.stretches = 10
config.encryptor = :bcrypt
# Setup a pepper to generate the encrypted password.
config.pepper = "79c2bf3b[...]"
end
应用/型号/ user.rb
devise :database_authenticatable, :registerable, :confirmable,
:recoverable, :rememberable, :trackable, :validatable
更新
我能够从设计升级后,找到该通知,其内容...
I was able to locate the notice from after Devise was upgraded, which reads...
[DEVISE] From version 1.2, there is no need to set your encryptor to bcrypt since encryptors are only enabled if you include :encryptable in your models. To update your app, please:
1) Remove config.encryptor from your initializer;
2) Add t.encryptable to your old migrations;
3) [Optional] Remove password_salt in a new recent migration. Bcrypt does not require it anymore.
所以,现在看来,password_salt是,如果你坚持使用bcrypt,这也解释了为什么它不能再创建pcated德$ P $。这样回答了,但我的问题的另一部分仍然...这是一个足够好的做法,或者我应该去除了bcrypt另一个加密?
So it appears that the password_salt is deprecated if you stick with bcrypt, which explains why it's not created anymore. So that answers that, but the other part of my question still remains...is this a good enough practice or should I go with another encryption besides bcrypt?
推荐答案
每何塞Valim:
设计1.2.1不需要
如果你password_salt列了
使用bcrypt。如果您需要一种
盐的,我相信有一种方法
所谓authentication_salt你可以
使用检索此类值。
<一href=\"http://groups.google.com/group/plataformatec-devise/browse_thread/thread/b1a1c648bc26e54d\">(Source)
这篇关于轨道3 /设计:密码盐不再被创造出来的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
