Does has_secure_password use any form of salting?

passwords ruby-on-rails encryption salt ruby-on-rails-3

Solution 1:

has_secure_password uses bcrypt-ruby. bcrypt-ruby automatically handles the storage and generation of salts for you. A typical hash from bcrypt-ruby looks like this: $2a$10$4wXszTTd7ass8j5ZLpK/7.ywXXgDh7XPNmzfIWeZC1dMGpFghd92e. This hash is split internally using the following function:

def split_hash(h)
  _, v, c, mash = h.split('$')
  return v, c.to_i, h[0, 29].to_str, mash[-31, 31].to_str
end

For the example hash this function yields:

  • version: 2a
  • cost: 10
  • salt: $2a$10$4wXszTTd7ass8j5ZLpK/7.
  • hash: ywXXgDh7XPNmzfIWeZC1dMGpFghd92e

The ==-function of BCrypt::Password extracts the salt and applies it to the passed string:

BCrypt::Password.create('bla') == 'bla' # => true

Related

Create line numbers on pre with CSS only
Visual Studio debugger tips & tricks for .NET
Convert.ChangeType and converting to enums?
Invoking GCC as "cc" versus "gcc"
how to make an application thread safe?
Is there a need to use super.onActivityResult() in onActivityResult()?
Phone gap vs React Native [closed]
Can't push to the heroku
C++ Lambdas: Difference between "mutable" and capture-by-reference
Debugging Content Scripts for Chrome Extension
How do I install PIL/Pillow for Python 3.6?
What's the difference between Ctrl+C and Ctrl+[?