密码加密和解密

two way crypt:

#http://crypt.rubyforge.org/blowfish.html
#gem install crypt
require 'crypt/blowfish' 
blowfish = Crypt::Blowfish.new("A key up to 56 bytes long")
plainBlock = "ABCD1234"
p plainBlock
encryptedBlock = blowfish.encrypt_block(plainBlock)
p encryptedBlock
decryptedBlock = blowfish.decrypt_block(encryptedBlock)
p decryptedBlock

bcrypt-ruby

An easy way to keep your users’ passwords secure.

* bcrypt-ruby.rubyforge.org/
* github.com/codahale/bcrypt-ruby/tree/master

Why you should use bcrypt

If you store user passwords in the clear, then an attacker who steals a copy of your database has a giant list of emails and passwords. Some of your users will only have one password — for their email account, for their banking account, for your application. A simple hack could escalate into massive identity theft.

It‘s your responsibility as a web developer to make your web application secure — blaming your users for not being security experts is not a professional response to risk.

bcrypt allows you to easily harden your application against these kinds of attacks.
How to install bcrypt

sudo gem install bcrypt-ruby

You‘ll need a working compiler. (Win32 folks should use Cygwin or um, something else.)
How to use bcrypt in your Rails application
The User model

require 'bcrypt'

  class User < ActiveRecord::Base
    # users.password_hash in the database is a :string
    include BCrypt

    def password
      @password ||= Password.new(password_hash)
    end

    def password=(new_password)
      @password = Password.create(new_password)
      self.password_hash = @password
    end

  end

Creating an account

def create
    @user = User.new(params[:user])
    @user.password = params[:password]
    @user.save!
  end

Authenticating a user

def login
    @user = User.find_by_email(params[:email])
    if @user.password == params[:password]
      give_token
    else
      redirect_to home_url
    end
  end

If a user forgets their password?

# assign them a random one and mail it to them, asking them to change it

  def forgot_password
    @user = User.find_by_email(params[:email])
    random_password = Array.new(10).map { (65 + rand(58)).chr }.join
    @user.password = random_password
    @user.save!
    Mailer.create_and_deliver_password_change(@user, random_password)
  end

How to use bcrypt-ruby in general

require 'bcrypt'

  my_password = BCrypt::Password.create("my password") #=> "$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa"

  my_password.version              #=> "2a"
  my_password.cost                 #=> 10
  my_password == "my password"     #=> true
  my_password == "not my password" #=> false

  my_password = BCrypt::Password.new("$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa")
  my_password == "my password"     #=> true
  my_password == "not my password" #=> false

Check the rdocs for more details — [url]http://bcrypt-ruby.rubyforge.org/classes/BCrypt.html[/url]BCrypt, [url]http://bcrypt-ruby.rubyforge.org/classes/BCrypt/Password.html[/url]BCrypt::Password.