<p>Aaron Blohowiak suggests adding this as a public method in user.rb:</p> <pre> def new_random_password self.password= Digest::SHA1.hexdigest("--#{Time.now.to_s}--#{login}--")[0,6] self.password_confirmation = self.password end </pre> <p>This creates an alphanumeric password and satisfies the confirmation validation.</p> <p>This is not what I would call random. Actually it is quite predictable. This can lead to a security hole, especially if you use this method to allow users to reset their passwords on their own. An attacker would only have to know a valid login to be able to reset the password to a value known to him, since he obviously knows the exact moment in time he submits the request.</p> <p>The following code should be at least slightly better:</p> <p>def new_random_password<br /> self.password= Digest::SHA1.hexdigest(&#8220;<del>-#{rand.to_s}</del>-#{login}&#8212;&#8221;)[0,6]<br /> self.password_confirmation = self.password<br /> end</p> 2008-10-24T03:51:02-07:00 71696 automatic-password-generation 67186 2009-03-01T13:15:10-08:00 59179