I want to use has_secure_password to store encrypted passwords in the database. I can't find on the the internet if has_secure_password uses any form of salting. If it uses salting, how does it works? Can anyone clarify this for me?
Thijs
has_secure_password uses bcrypt-ruby. bcrypt-ruby automatically handles the storage and generation of salts for you. A typical hash from bcrypt-ruby looks like this: $2a$10$4wXszTTd7ass8j5ZLpK/7.ywXXgDh7XPNmzfIWeZC1dMGpFghd92e. This hash is split internally using the following function:
def split_hash(h)
_, v, c, mash = h.split('$')
return v, c.to_i, h[0, 29].to_str, mash[-31, 31].to_str
end
For the example hash this function yields:
- version: 2a
- cost: 10
- salt: $2a$10$4wXszTTd7ass8j5ZLpK/7.
- hash: ywXXgDh7XPNmzfIWeZC1dMGpFghd92e
The ==-function of BCrypt::Password extracts the salt and applies it to the passed string:
BCrypt::Password.create('bla') == 'bla' # => true
来源:https://stackoverflow.com/questions/10139954/does-has-secure-password-use-any-form-of-salting