Creating password in database:
> password = 'secret'
> encrypted_password_in_database = BCrypt::Password.create(password)
Comparing password:
> BCrypt::Password.new(encrypted_password_in_database) == 'secret'
=> true
== is actually a method defined in bcrypt-ruby
Devise is comparing it using something like constant-time secure comparison but bcrypt-ruby project decided not to go with that. Read more about it here:
Top comments (4)
Those are some really interesting arguments in the bcrypt issues/PRs. I guess I take the opinion that you can never have too much security, so I would include the constant time string comparison as well. I'm glad Devise does that.
It seems like constant-time secure comparison is not necessary because users won't submit hashed data via parameters. Timing attacks are effective only when the user submits hashed data and then the server compares the data against whatever is in the DB .
Judging from the responses I don't think they're ever going to adopt the change, though it's not like the default it's inherently insecure...
But you can change the encryptor Devise uses, maybe to something like Argon2 using devise-argon2
TIL about argon and scrypt. Awesome link 👍