A password management class which allows you to safely store users' passwords and compare them.
Example usage:
include BCrypt # hash a user's password @password = Password.create("my grand secret") @password #=> "$2a$10$GtKs1Kbsig8ULHZzO1h2TetZfhO4Fmlxphp8bVKnUlZCBYYClPohG" # store it safely @user.update_attribute(:password, @password) # read it back @user.reload! @db_password = Password.new(@user.password) # compare it after retrieval @db_password == "my grand secret" #=> true @db_password == "a paltry guess" #=> false
The hash portion of the stored password hash.
The cost factor used to create the hash.
The salt of the store password hash (including version and cost).
The version of the bcrypt() algorithm used to create the hash.
Hashes a secret, returning a BCrypt::Password
instance. Takes an optional :cost
option, which is a
logarithmic variable which determines how computational expensive the hash
is to calculate (a :cost
of 4 is twice as much work as a
:cost
of 3). The higher the :cost
the harder it
becomes for attackers to try to guess passwords (even if a copy of your
database is stolen), but the slower it is to check users' passwords.
Example:
@password = BCrypt::Password.create("my secret", :cost => 13)
# File lib/bcrypt.rb, line 159 def create(secret, options = { :cost => BCrypt::Engine::DEFAULT_COST }) raise ArgumentError if options[:cost] > 31 Password.new(BCrypt::Engine.hash_secret(secret, BCrypt::Engine.generate_salt(options[:cost]), options[:cost])) end
Initializes a BCrypt::Password instance with the data from a stored hash.
# File lib/bcrypt.rb, line 166 def initialize(raw_hash) if valid_hash?(raw_hash) self.replace(raw_hash) @version, @cost, @salt, @checksum = split_hash(self) else raise Errors::InvalidHash.new("invalid hash") end end
Compares a potential secret against the hash. Returns true if the secret is the original secret, false otherwise.
# File lib/bcrypt.rb, line 176 def ==(secret) super(BCrypt::Engine.hash_secret(secret, @salt)) end