sjegjq
Last Updated: February 26, 2017
·
8.139K
· hannesg
546cb399441344941ff1052fae9563b4

Use BCrypt for passwords

Using BCrypt for password hashing has several advantages over the builtin Digest classes. First of all it has a decent interface:

gem "bcrypt-ruby"
require "bcrypt"
hashed_password = BCrypt::Password.create "my password"

hashed_password is now an instance of BCrypt::Password. You can check the password now with ==:

hashed_password == "my password" # => true

The second nice point is the built-in security. Passwords are automatically salted. Furthermore, BCrypt has a parameter cost which exponentially scales the computation time.

hashed_password1 = BCrypt::Password.create( "my password", cost: 1 )
hashed_password10 = BCrypt::Password.create( "my password", cost: 10 )

Computing hashedpassword10 is 2^9 times as expessive as computing hashedpassword1. This way you can adjust the hashing algorithm to your available resources and always use the most-expensive-to-crack hashing you can afford.

Last but definitly not least storing and restoring BCrypt::Passwords is simple as hell:

storable_string = hashed_password.to_s
restored_hash = BCrypt::Password.new storable_string

NICE!

Say Thanks
Respond

1 Response
Add your response

28652
1a31dce39f7c8279d8084005d5785749

Thanks for sharing!

9 months ago ·