Reputation: 10852
How does salt work in Rails' has_secure_password
From what I understand from salting to make an encrypted password more secure, I would generate a random number (the salt) and store it along side the hashed password, in the user record (for example.) I would concatenate the salt with the plaintext password and then encrypt it (hash). The resulting hash would be much more difficult to crack. This process would be repeated to verify the password.
Looking at has_secure_password and bcrypt_ruby (disclosure: I am not a security expert) I don't see how that is done, as the only thing stored in the user record is the hashed password. Where's the salt?
Upvotes: 13
Views: 9515
Answers (1)
Reputation: 3417
The password hash and salt are saved in a string column called password_digest in the database. See this question.
Upvotes: 8
Related Questions
- Does has_secure_password use any form of salting?
- Ruby BCrypt salting/hashing seems ... wrong?
- Ruby-BCrypt: Specify salt
- How does has_secure_password work in my model class?
- What has happened to the salt with bcrypt?
- has_secure_password - only hashes or encrypts as well?
- How devise stores and read salts/hashes?
- Rails has_secure_password: is it actually hashing the password in the DB?
- Rails: has_secure_password override
- Trying to understand salting and hashing passwords in Ruby on Rails