Topic: Acts_as_authenticated security or other rails solutions

I am a total Rails noob.  I have implemented acts_as_authenticated on a website I am developing and I was wondering about the security of it.  Specifically I was wondering if passwords are sent to the server in plain text or if there is another method it uses. 

Do I need to use ssl?  Is there some better way to do authentication in Rails that doesn't allow someone to sniff the password when it is sent, or is acts_as_authenticated already taking care of it? Thanks.

Re: Acts_as_authenticated security or other rails solutions

acts_as_authenticated stores a hash of the password so they are not in plain text on the server.  As with any non SSL website passwords (and any information) sent via a web form will be sent in plain text and will be visible by anyone watching the traffic.  If you need the additional security of a secure connection between the client and the server you will need SSL.  At that point it goes beyond the realm of which authentication system you're using.

Re: Acts_as_authenticated security or other rails solutions

osteo wrote:

I am a total Rails noob.  I have implemented acts_as_authenticated on a website I am developing and I was wondering about the security of it.  Specifically I was wondering if passwords are sent to the server in plain text or if there is another method it uses. 

Do I need to use ssl?  Is there some better way to do authentication in Rails that doesn't allow someone to sniff the password when it is sent, or is acts_as_authenticated already taking care of it? Thanks.

Passwords are sent over the wire in plain text yes. They're only encrypted once the information reaches the server. Use SSL if you need the client/server connection protected.

vinnie - rails forum admin

Re: Acts_as_authenticated security or other rails solutions

Thanks a lot.  I'll start looking at SSL/TLS.