[Rails] Setting passwords for users (Login Generator)

[Stian Grytøyr]

Tobias Luetke <tobias.luetke at gmail.com> wrote:

> True-ish. If you do this there will be no way for users to change
> login name without changing the password. If you use email instead of
> login this can be a problem.

That's true, so on my own sites there is no way to change the login
name, by design. I suppose one could add a random string to each
user object and use that as the salt if this is a concern.

Actually, I think the ideal solution is to use a salt (different for each user) 
as well as a "magic" string for each site. That way, you not only 
guarantee that different users with the same password will have different 
hashes, you also make sure that a compromised username/password 
combo can not be used on a different site with the same password 
mechanism. This might seem rather paranoid, but it's simple to implement, 
so I tend to do it.

-- 
Regards,
Stian Grytøyr