Does has_secure_password use any form of salting?

Question

Does has_secure_password use any form of salting?

I want to use has_secure_password to store encrypted passwords in a database. I cannot find on the Internet if has_secure_password uses any form of salting. If he uses salting, how does it work? Can anyone clarify this for me?

Tys

+60

passwords ruby-on-rails encryption salt

Thijs Apr 13 '12 at 11:27

source share

1 answer

fabi · Accepted Answer · 2012-04-13 15:01

has_secure_password uses bcrypt-ruby . bcrypt-ruby automatically processes the repository and generates salts for you. A typical hash from bcrypt-ruby looks like this: $2a$10$4wXszTTd7ass8j5ZLpK/7.ywXXgDh7XPNmzfIWeZC1dMGpFghd92e . This hash is broken internally using the following function:

 def split_hash(h) _, v, c, mash = h.split('$') return v, c.to_i, h[0, 29].to_str, mash[-31, 31].to_str end

For example, a hash this function gives:

version: 2a
cost: 10
salt: $ 2a $ 10 $ 4wXszTTddassass8j5ZLpK / 7.
hash: ywXXgDh7XPNmzfIWeZC1dMGpFghd92e

== BCrypt::Password function extracts salt and applies it to the passed string:

 BCrypt::Password.create('bla') == 'bla' # => true

Does has_secure_password use any form of salting?

More articles: