Reputation: 4653
What password hashing algorithm does devise use?
I would like to store and validate passwords in a ruby application that does not use devise, and have them be compatible with a future application that does use devise. What is the default password hashing scheme that devise uses, and is it possible to extract and use just this component from devise?
Upvotes: 3
Views: 5196
Answers (1)
Reputation: 7532
Devise's DatabaseAuthenticatable module uses BCrpyt to hash passwords, wrapped up in the Devise::Encryptor module. The relevant method, digest, is pretty simple:
def self.digest(klass, password)
if klass.pepper.present?
password = "#{password}#{klass.pepper}"
end
::BCrypt::Password.create(password, cost: klass.stretches).to_s
end
klass is only used to fetch a couple parameters: pepper, a string which is appended onto the password pre-hashing but not stored in the database (unlike salt, which is appended as well but stored with the password in the DB); and cost, a measure of how secure the hash should be (see the docs). Both of these are static and you can hard-code them into your non-Devise app (but make sure to keep pepper secret!).
So, your hash method might be written just as:
def self.digest(password)
password = "#{password}#{ENV['PASSWORD_PEPPER']}"
::BCrypt::Password.create(password, cost: 10).to_s
end
Upvotes: 5
Related Questions
- Decrypting a devise password
- Rails 5 : Devise Gem password Encryption
- where is devise implementation of "authenticate_user!" method?
- Where to find password for devise user
- How is Devise's secret_key used?
- Converting existing password hash to Devise
- What algorithm does the Devise gem use to generate the authentication token?
- What encryption strategy does the Devise gem use for database_authenticable?
- Does anyone know the options for Devises `authenticate_user!`?
- What hash function does Ruby use?