
Exploring Rails 3.1 - ActiveModel::SecurePassword - there
http://bcardarella.com/post/4668842452/exploring-rails-3-1-activemodel-securepassword
======
roryokane
As Anne_Ominous wrote in the comments, this solution needs salts to be truly
secure. One reply to Anne links to a sentence in the bcrypt-ruby docs:
"bcrypt-ruby automatically handles the storage and generation of these salts
for you.". However, there's something I don't understand. Where are the salts
stored? The linked article mentions only that the model needs a
password_digest field. If the salt is stored alongside it, shouldn't we need a
password_salt field too? And if the salt is stored in a separate database,
isn't that inefficient and unscaleable?

~~~
createaccount94
>> hash = BCrypt::Password.create '123456'

=> "$2a$10$khoJWZR3hVA8Qcm3lW6sp.BQGOFKGo2xHCeH2YfDcQVRltEGCJe0S"

>> [hash.salt, hash.checksum]

=> ["$2a$10$khoJWZR3hVA8Qcm3lW6sp.", "BQGOFKGo2xHCeH2YfDcQVRltEGCJe0S"]

------
zmanji
Wouldn't this make gems like Devise irrelevant?

~~~
damoncali
I hope so. It's a real pain to switch gems when the auth of the week is left
for dead.

~~~
moe
That reminds me, which is the auth gem of the week currently, Devise?

~~~
ludicast
Devise is excellent. Jose Valim's gems tend to become standards pretty
quickly.

