I'm planning to make the database of a Rails project available for download publicly. This database contains an Authlogic users table, with crypted_password and password_salt fields. How securely are these passwords stored... is it safe to make them available publicly this way? Or should I look at implementing another authentication system such as OpenID which doesn't store the passwords in the database?
+2
A:
It's definitely not a good idea to share this, regardless of the level of security and encryption. Even if it were perfectly secure, at a minimum you'll be revealing user data, which doesn't sound like something your users are likely to be happy about. And what if it isn't perfectly secure (far more likely) -- suppose, say, there's a critical weakness in authlogic that hasn't been discovered yet?
Better safe than sorry. Share the rest if you want, but keep your users table and related data under wraps!
John Feminella
2010-01-08 05:14:46
Thanks for the advice. The only other option that I can think of is to require OpenID authentication instead. The app will be similar to Wikipedia in that I want to give users the option of forking the whole project if need be and setting up the site somewhere else. Assuming users were made aware that their OpenID would be shared, do you think that this would be the best approach?
Uriptical
2010-01-08 09:01:14
+2
A:
I would suggest you remove any fields involving user authentication (emails, passwords, salts and keys, open id urls) from any databases you are planning on sharing, otherwise you could find yourself in a world of pain when someone malicious gets hold of it.
Andrew Nesbitt
2010-01-08 09:43:31
+1
A:
I think it would be wise to not include the user table in the database you make public regardless of the authentication system that you use. One of the advantages of using authlogic is that you can implement multiple means of authenticating farily painlessly. It doesn't matter if you use traditional registration, OAuth, OpenID, or RPX, all those methods are capable of pulling in personal information outside of a password into your user model. Users probably wouldn't feel happy with DOB/first & last name/location information being made public either.
Patrick Robertson
2010-01-08 16:11:34
+1
A:
It's definitely not safe to share hashed passwords, maybe you should try splitting your User model into something like UserProfile (user's public information - nickname, location, etc) and UserAccount which you could use for authentication. Then you could probably share everything except the accounts. Or maybe consider implementing some sort of an API which others could use to pull data from your site instead of publishing the whole database.
psyho
2010-01-08 16:26:08