Last Updated: September 09, 2019
·
1.602K
· chrismcleod

Use SCrypt with Devise user passwords

scrypt is probably more secure than bcrypt. Devise will probably eventually include it as en encryptor, but until it does, you can require this class (for rails apps, in your devise initializer) and set the encryptor config to 'scrypt'

module Devise
  module Encryptable
    module Encryptors

      class Scrypt < Base
        def self.digest(password, stretches, salt, pepper)
          ::SCrypt::Engine.hash_secret("#{password}#{pepper}", salt)
        end

        def self.compare(encrypted_password, password, stretches, salt, pepper)
          Devise.secure_compare(encrypted_password, digest(password, stretches, salt, pepper))
        end

        def self.salt(stretches)
          ::SCrypt::Engine.generate_salt()
        end
      end
    end
  end
end