I want to use has_secure_password to store hashed passwords in the database. I can't find on the the internet if has_secure_password uses any form of salting. If it uses salting, how does it works?
has_secure_password uses bcrypt-ruby. bcrypt-ruby automatically handles the storage and generation of salts for you. A typical hash from bcrypt-ruby looks like this: $2a$10$4wXszTTd7ass8j5ZLpK/7.ywXXgDh7XPNmzfIWeZC1dMGpFghd92e. This hash is split internally using the following function:
def split_hash(h)
_, v, c, mash = h.split('$')
return v, c.to_i, h[0, 29].to_str, mash[-31, 31].to_str
end
For the example hash this function yields:
The ==-function of BCrypt::Password extracts the salt and applies it to the passed string:
BCrypt::Password.create('bla') == 'bla' # => true