Class | Authlogic::CryptoProviders::BCrypt |
In: |
lib/authlogic/crypto_providers/bcrypt.rb
|
Parent: | Object |
For most apps Sha512 is plenty secure, but if you are building an app that stores nuclear launch codes you might want to consier BCrypt. This is an extremely secure hashing algorithm, mainly because it is slow. A brute force attack on a BCrypt encrypted password would take much longer than a brute force attack on a password encrypted with a Sha algorithm. Keep in mind you are sacrificing performance by using this, generating a password takes exponentially longer than any of the Sha algorithms. I did some benchmarking to save you some time with your decision:
require "bcrypt" require "digest" require "benchmark" Benchmark.bm(18) do |x| x.report("BCrypt (cost = 10:") { 100.times { BCrypt::Password.create("mypass", :cost => 10) } } x.report("BCrypt (cost = 2:") { 100.times { BCrypt::Password.create("mypass", :cost => 2) } } x.report("Sha512:") { 100.times { Digest::SHA512.hexdigest("mypass") } } x.report("Sha1:") { 100.times { Digest::SHA1.hexdigest("mypass") } } end user system total real BCrypt (cost = 10): 10.780000 0.060000 10.840000 ( 11.100289) BCrypt (cost = 2): 0.180000 0.000000 0.180000 ( 0.181914) Sha512: 0.000000 0.000000 0.000000 ( 0.000829) Sha1: 0.000000 0.000000 0.000000 ( 0.000395)
You can play around with the cost to get that perfect balance between performance and security.
Decided BCrypt is for you? Just install the bcrypt gem:
gem install bcrypt-ruby
Tell acts_as_authentic to use it:
acts_as_authentic do |c| c.crypto_provider = Authlogic::CryptoProviders::BCrypt end
You are good to go!
cost | [W] |
Does the hash match the tokens? Uses the same tokens that were used to encrypt.