Last Updated: November 09, 2021
· hannesg

Use BCrypt for passwords

Using BCrypt for password hashing has several advantages over the builtin Digest classes. First of all it has a decent interface:

gem "bcrypt-ruby"
require "bcrypt"
hashed_password = BCrypt::Password.create "my password"

hashed_password is now an instance of BCrypt::Password. You can check the password now with ==:

hashed_password == "my password" # => true

The second nice point is the built-in security. Passwords are automatically salted. Furthermore, BCrypt has a parameter cost which exponentially scales the computation time.

hashed_password1 = BCrypt::Password.create( "my password", cost: 1 )
hashed_password10 = BCrypt::Password.create( "my password", cost: 10 )

Computing hashedpassword10 is 2^9 times as expessive as computing hashedpassword1. This way you can adjust the hashing algorithm to your available resources and always use the most-expensive-to-crack hashing you can afford.

Last but definitly not least storing and restoring BCrypt::Passwords is simple as hell:

storable_string = hashed_password.to_s
restored_hash = storable_string