Using BCrypt for password hashing has several advantages over the builtin Digest classes. First of all it has a decent interface:
gem "bcrypt-ruby" require "bcrypt" hashed_password = BCrypt::Password.create "my password"
hashed_password is now an instance of BCrypt::Password. You can check the password now with ==:
hashed_password == "my password" # => true
The second nice point is the built-in security. Passwords are automatically salted. Furthermore, BCrypt has a parameter cost which exponentially scales the computation time.
hashed_password1 = BCrypt::Password.create( "my password", cost: 1 ) hashed_password10 = BCrypt::Password.create( "my password", cost: 10 )
Computing hashedpassword10 is 2^9 times as expessive as computing hashedpassword1. This way you can adjust the hashing algorithm to your available resources and always use the most-expensive-to-crack hashing you can afford.
Last but definitly not least storing and restoring BCrypt::Passwords is simple as hell:
storable_string = hashed_password.to_s restored_hash = BCrypt::Password.new storable_string