`has_secure_password` uses [bcrypt-ruby][1]. `bcrypt-ruby` automatically handles the storage and generation of salts for you. A typical hash from `bcrypt-ruby` looks like this: `$2a$10$4wXszTTd7ass8j5ZLpK/7.ywXXgDh7XPNmzfIWeZC1dMGpFghd92e`. This hash is split internally using the following function:

    def split_hash(h)
      _, v, c, mash = h.split(&#39;$&#39;)
      return v, c.to_i, h[0, 29].to_str, mash[-31, 31].to_str
    end

For the example hash this function yields:

* version: 2a
* cost: 10
* salt: $2a$10$4wXszTTd7ass8j5ZLpK/7.
* hash: ywXXgDh7XPNmzfIWeZC1dMGpFghd92e

The `==`-function of `BCrypt::Password` extracts the salt and applies it to the passed string:

    BCrypt::Password.create(&#39;bla&#39;) == &#39;bla&#39; # =&gt; true


  [1]: https://github.com/codahale/bcrypt-ruby

For a script I&#39;m writing, I need display a number that has been rounded, but not the decimal or anything past it. I&#39;ve gotten down to rounding it to the third place, but I&#39;m not sure how to go about just dropping the decimal and everything past it, as it doesn&#39;t seem like JavaScript has a `substr` function like PHP does.

Any recommendations?

Truncate/round whole number in JavaScript?

How do you handle multiple client to connect to one server? I have this LogServer.java

    import javax.net.ssl.*;
    import javax.net.*;
    import java.io.*;
    import java.net.*;
    
    public class LogServer {
      private static final int PORT_NUM = 5000;
      public static void main(String args[]) {
        ServerSocketFactory serverSocketFactory =
          ServerSocketFactory.getDefault();
        ServerSocket serverSocket = null;
        try {
          serverSocket =
            serverSocketFactory.createServerSocket(PORT_NUM);
        } catch (IOException ignored) {
          System.err.println(&quot;Unable to create server&quot;);
          System.exit(-1);
        }
        System.out.printf(&quot;LogServer running on port: %s%n&quot;, PORT_NUM);
        while (true) {
          Socket socket = null;
          try {
            socket = serverSocket.accept();
            InputStream is = socket.getInputStream();
            BufferedReader br = new BufferedReader(
              new InputStreamReader(is, &quot;US-ASCII&quot;));
            String line = null;
            while ((line = br.readLine()) != null) {
              System.out.println(line);
            }
          } catch (IOException exception) {
            // Just handle next request.
          } finally {
            if (socket != null) {
              try {
                socket.close();
              } catch (IOException ignored) {
              }
            }
          }
        }
      }
    }

and an embedded applet with part of the code like this e.g

    import java.io.*;
    import java.util.logging.*;
     
    public class LogTest
    {
      private static Logger logger = Logger.getAnonymousLogger();
     
      public static void main(String argv[]) throws IOException
      {
        Handler handler = new SocketHandler(&quot;localhost&quot;, 5000);
        logger.addHandler(handler);
        logger.log(Level.SEVERE, &quot;Hello, World&quot;);
        logger.log(Level.SEVERE, &quot;Welcome Home&quot;);
        logger.log(Level.SEVERE, &quot;Hello, World&quot;);
        logger.log(Level.SEVERE, &quot;Welcome Home&quot;);
      }
    }

now the question is if I run &quot;java LogServer&quot; on the server, it will open the application and waiting for input stream and if I open my site, it will start streaming the log. But if I open one more using other computer/network, the second site does not log the stream. seems like it&#39;s because the first one still bind to port 5000. 

How do I handle this?
How does socket actually work with multiple client / one server?

socket programming multiple client to one server

I want to use `has_secure_password` to store encrypted passwords in the database. I can&#39;t find on the the internet if `has_secure_password` uses any form of salting. If it uses salting, how does it works? Can anyone clarify this for me?

Thijs

Does has_secure_password use any form of salting?

<p>I want to use <code>has_secure_password</code> to store encrypted passwords in the database. I can't find on the the internet if <code>has_secure_password</code> uses any form of salting. If it uses salting, how does it works? Can anyone clarify this for me?</p>
<p>Thijs</p>


I would like to view the data in my DB while developing with Rails (actually in all 3 of them development, test and production). I have not touched the configs, so it should be easy, but I was not able to find any usable info.

I have no idea what the connection string could be or where to enter it, since Aptana (v.3) seems to lack the good old data source explorer view I know from Eclipse. Could someone point me into the right direction?

EDIT: I am working on linux - Mint 12

How to access default Rails sqlite db?

I am trying to install curb 0.8.0 on a Windows computer but I can not seem to get anywhere. I have been trying every website 3 pages deep on my Google search. Please, anyone have an idea of how I can get this single thing installed. I have downloaded curl and extracted it to C:\curl.  I have added it to my path and am running the command: 

    gem install curb -- --with-curl-lib=C:\curl\bin --with-curl-include=C:\curl\include

But it doesn&#39;t work. I keep getting the same error. Any suggestions?

Can&#39;t find libcurl or curl/curl.h (RuntimeError)

The best way I can describe what I&#39;m looking for is to show you the failed code I&#39;ve tried thus far:

    case car
      when [&#39;honda&#39;, &#39;acura&#39;].include?(car)
        # code
      when &#39;toyota&#39; || &#39;lexus&#39;
        # code
    end

I&#39;ve got about 4 or 5 different `when` situations that should be triggered by approximately 50 different possible values of `car`. Is there a way to do this with `case` blocks or should I try a massive `if` block?

Case statement with multiple values in each &#39;when&#39; block

When I run `bundle install` for my Rails 3 project on Centos 5.5 it fails with an error:

    Gem::RemoteFetcher::FetchError: SSL_connect returned=1 errno=0 state=SSLv3 
    read server certificate B: certificate verify failed 
    (https://bb-m.rubygems.org/gems/multi_json-1.3.2.gem)
    An error occured while installing multi_json (1.3.2), and Bundler cannot continue.
    Make sure that `gem install multi_json -v &#39;1.3.2&#39;` succeeds before bundling.

When I try to install the gem manually (by `gem install multi_json -v &#39;1.3.2&#39;`) it works. The same problem occurs with several other gems. I use RVM (1.12.3), ruby 1.9.2, bundler 1.1.3. 

How to fix it?

bundle install fails with SSL certificate verification error

I am having a normal HTML frontend and a JSON API in my Rails App. Now, if someone calls `/api/not_existent_method.json` it returns the default HTML 404 page. Is there any way to change this to something like `{&quot;error&quot;: &quot;not_found&quot;}` while leaving the original 404 page for the HTML frontend intact?

Need to return JSON-formatted 404 error in Rails

What is the way in rails to structure sql query to only select certain columns from the database, I have some large data fields which I want to avoid loading from continuous periodic ajax calls. Reading unnecessarily is resource consuming and slow. 

    @itemlist = Item.find(:all, :conditions =&gt; { .... } ) #this select all columns 

I am looking for `SELECT name, address FROM users;` instead of `SELECT * FROM users;` 



Ruby rails - select only few columns from the data base

I started populating an en yaml file in Rails and I can already tell it will get messy and out of hand before too long. Is there a convention to keeping this file organized?

So far I have this structure:

    language:
      resource:
        pages: # index, show, new, edit
          page html elements: # h1, title
      activerecord:
        attributes:
          model:
            property:

Now I have the following things that I want to fit into this structure but I&#39;m unsure how to:

 1. Navigation
 2. Button text (save changes, create account, etc)
 3. Error messages from controller flash
 4. How to add multi-word keys. Do I use a space or an underscore? For exmaple, `t(&quot;.update button&quot;)`) or `t(&quot;.update_button&quot;)`

Is there a convention to locale file structure?

How do you structure i18n yaml files in Rails?

Is there a way to pass ruby file, *foo.rb* to rails console. Expected results would be after console starts rails environment to run file. 

Or any other way which would allow me to execute file in rails environment, triggered from command prompt.

Pass ruby script file to rails console

I am using Ruby on Rails 3.2.2 and I would like to know if the following is a &quot;proper&quot;/&quot;correct&quot;/&quot;sure&quot; way to override a setter method for a my class attribute.

    attr_accessible :attribute_name
    
    def attribute_name=(value)
      ... # Some custom operation.
    
      self[:attribute_name] = value
    end

The above code seems to work as expected. However, *I would like to know if, by using the above code, in future I will have problems or, at least, what problems &quot;should I expect&quot;/&quot;could happen&quot; with Ruby on Rails*. If that isn&#39;t the right way to override a setter method, what is the right way?


----------

*Note*: If I use the code

    attr_accessible :attribute_name
    
    def attribute_name=(value)
      ... # Some custom operation.
    
      self.attribute_name = value
    end

I get the following error:

    SystemStackError (stack level too deep):
      actionpack (3.2.2) lib/action_dispatch/middleware/reloader.rb:70

What is the right way to override a setter method in Ruby on Rails?

What is the most modern (best) way of satisfying the following in C#?

    string encryptedString = SomeStaticClass.Encrypt(sourceString);
    
    string decryptedString = SomeStaticClass.Decrypt(encryptedString);

BUT with a minimum of fuss involving salts, keys, mucking about with byte[], etc.

Been Googling and confused at what I&#39;m finding (you can see the list of similar SO Qs to see this is a deceptive question to ask).



Encrypting &amp; Decrypting a String in C#

I asked a question here a while back on how to hide my http request calls and make them more secure in my application. I did not want people to use fiddler 2 to see the call and set up an auto responder. Everyone told me to go SSL and calls will be hidden and information kept safe.

I bought and installed an SSL Certificate and got everything set up. I booted up fiddler 2 and ran a test application that connect to an https web service as well as connected to an https php script.

Fiddler 2 was able to not only detect both requests, but decrypt them as well! I was able to see all information going back and fourth, which brings me to my question.

What is the point of having SSL if it made zero difference to security. With or without SSL I can see all information going back and fourth and STILL set up an auto responder.

Is there something in .NET I am missing to better hide my calls going over SSL?

**EDIT**

I am adding a new part to this question due to some of the responses I have received. What if an app connects to a web service to login. The app sends the web service a username and a password. The web service then sends data back to the app saying good login data or bad. Even if going over SSL the person using fiddler 2 could just set up an auto responder and the application is then &quot;cracked&quot;. I understand how it could be useful to see the data in debugging, but my question is what exactly should one do to make sure the SSL is connecting to the one it was requesting. Basically saying there cannot be a middle man.

What is point of SSL if fiddler 2 can decrypt all calls over HTTPS?

I&#39;m currently a student and I&#39;m studying PHP, I&#39;m trying to make a simple encrypt/decrypt of data in PHP. I made some online research and some of them were quite confusing(at least for me).

Here&#39;s what I&#39;m trying to do:

I have a table consisting of these fields **(UserID,Fname,Lname,Email,Password)**

What I want to have is have the all fields encrypted and then be decrypted(Is it possible to use `sha256` for encryption/decryption, if not any encryption algorithm)

Another thing I want to learn is how to create a one way `hash(sha256)` combined with a good &quot;salt&quot;.
(Basically I just want to have a simple implementation of encryption/decryption, `hash(sha256)+salt)
`
Sir/Ma&#39;am, your answers would be of great help and be very much appreciated. Thank you++

How to encrypt/decrypt data in php?

My understanding is that SSL combines an encryption algorithm (like AES, DES, etc.) with a key exchange method (like Diffie-Hellman) to provide secure encryption and identification services between two endpoints on an un-secure network (like the Internet).

My understanding is that SASL is an MD5/Kerberos protocol that pretty much does the same thing.

So my question: what are the pros/cons to choosing both and what scenarios make either more preferable? Basically, I&#39;m looking for some guidelines to follow when choosing SSL or to go with SASL instead. Thanks in advance!

Security &amp; Authentication: SSL vs SASL

I have been searching the Internet for ***good*** c++ AES code sample/tutorial that teaches the basics of the encryption technology and the use of the Library but so far I have had no luck getting decent material.

good: Easy to understand (Just the basics for on the go study).

Example of AES using Crypto++

I am trying to validate the password using regular expression. The password is getting updated if we have all the characters as alphabets. Where am i going wrong ? is the regular expression right ?

   

    function validatePassword() {
        var newPassword = document.getElementById(&#39;changePasswordForm&#39;).newPassword.value;
        var minNumberofChars = 6;
        var maxNumberofChars = 16;
        var regularExpression  = /^[a-zA-Z0-9!@#$%^&amp;*]{6,16}$/;
        alert(newPassword); 
        if(newPassword.length &lt; minNumberofChars || newPassword.length &gt; maxNumberofChars){
            return false;
        }
        if(!regularExpression.test(newPassword)) {
            alert(&quot;password should contain atleast one number and one special character&quot;);
            return false;
        }
    }

Javascript regular expression password validation having special characters

I need to execute **ssh** from **windows command line** by providing password in a non interactive manner. I could implement the key based authentication and able to execute the ssh commands just like 

    ssh &lt;user&gt;@&lt;host&gt; &lt;command&gt;

Is there any commands like 

    ssh &lt;user&gt;@&lt;host&gt; -P &lt;password&gt; &lt;command&gt;

[![enter image description here][1]][1]

I don&#39;t know if it is feasible. However, there can be some work around for the same. Throw me some ideas to accomplish the same. 


  [1]: http://i.stack.imgur.com/j08GP.png

Execute ssh with password authentication via windows command prompt

I work on a few apps in rails, django (and a little bit of php), and one of the things that I started doing in some of them is storing database and other passwords as environment variables  rather than plain text in certain config files (or in settings.py, for django apps).

In discussing this with one of my collaborators, he suggested this is a poor practice - that perhaps this isn&#39;t as perfectly secure as it might at first seem.

So, I would like to know - is this a secure practice? Is it more secure to store passwords as plain text in these files (making sure, of course, not to leave these files in public repos or anything)?

Is it secure to store passwords as environment variables (rather than as plain text) in config files?

&gt; **Possible Duplicate:**  
&gt; [Disable Copy/Paste into HTML form using Javascript](https://stackoverflow.com/questions/1226574/disable-copy-paste-into-html-form-using-javascript)  

&lt;!-- End of automatically inserted text --&gt;

[My bank][1] seem to have disabled copy-paste of username and password.

How is it done? Does it improve security?

  [1]: https://www.mizrahi-tefahot.co.il/he/bank/Pages/Default.aspx

Disable copy paste in HTML input fields?

I am currently using the following for hashing passwords:

    var pass_shasum = crypto.createHash(&#39;sha256&#39;).update(req.body.password).digest(&#39;hex&#39;);

Could you please suggest improvements to make the project safer?



Node.js hashing of passwords

I came across a discussion in which I learned that what I&#39;d been doing wasn&#39;t in fact salting passwords but peppering them, and I&#39;ve since begun doing both with a function like:

    hash_function($salt.hash_function($pepper.$password)) [multiple iterations]

Ignoring the chosen hash algorithm (I want this to be a discussion of salts &amp; peppers and not specific algorithms but I&#39;m using a secure one), is this a secure option or should I be doing something different? For those unfamiliar with the terms:

 - A **salt** is a randomly generated value usually stored with the string in the database designed to make it impossible to use hash tables to crack passwords. As each password has its own salt, they must all be brute-forced individually in order to crack them; however, as the salt is stored in the database with the password hash, a database compromise means losing both.

 - A **pepper** is a site-wide static value stored separately from the database (usually hard-coded in the application&#39;s source code) which is intended to be secret. It is used so that a compromise of the database would not cause the entire application&#39;s password table to be brute-forceable.

Is there anything I&#39;m missing and is salting &amp; peppering my passwords the best option to protect my user&#39;s security? Is there any potential security flaw to doing it this way?

*Note: Assume for the purpose of the discussion that the application &amp; database are stored on separate machines, do not share passwords etc. so a breach of the database server does not automatically mean a breach of the application server.*

Best Practices: Salting &amp; peppering passwords?

Recently I have been trying to implement my own security on a log in script I stumbled upon on the internet. After struggling of trying to learn how to make my own script to generate a salt for each user, I stumbled upon `password_hash`. 

From what I understand (based off of the reading on [this page](http://php.net/manual/en/faq.passwords.php)), salt is already generated in the row when you use `password_hash`. Is this true? 

Another question I had was, wouldn&#39;t it be smart to have 2 salts? One directly in the file and one in the DB? That way, if someone compromises your salt in the DB, you still have the one directly in the file? I read on here that storing salts is never a smart idea, but it always confused me what people meant by that. 

How to use PHP&#39;s password_hash to hash and verify passwords

I&#39;m trying to configure Bcrypt for a node app that I&#39;m making and have several questions about salts that I hope someone here can help kindly answer.


- What is a salt &#39;round&#39;? For example, in the github docs (https://github.com/kelektiv/node.bcrypt.js/) it uses a salt round of 10. What does that mean exactly?

- Is the salt generated by Bcrypt always the same? For example, if I am saving user&#39;s hashed passwords to a DB, is the salt that it used to hash the password the same for every password?

- How is the salt stored? Is it secure from potential attacks?



Content Type	Original Author	Original Content on Stackoverflow
Question	Thijs	View Question on Stackoverflow
Solution 1 - Ruby on-Rails	fabi	View Answer on Stackoverflow

Does has_secure_password use any form of salting?

Ruby on-Rails Problem Overview

Ruby on-Rails Solutions

Solution 1 - Ruby on-Rails

socket programming multiple client to one server

Truncate/round whole number in JavaScript?

Attributions