Set and authenticate against bcrypt passwords. It uses the bcrypt-ruby gem.
Installation
Add this line to your application's Gemfile:
gem "secure-password"
And then execute:
$ bundle
Or install it yourself as:
$ gem install secure-password
Usage
require "secure_password"
class User
include SecurePassword
# A `password_digest` attribute is required.
attr_accessor :password_digest
end
user = User.new
user.password = "123456"
user.password_digest
# => "$2a$10$rHxX0jSF14JErSjrrFTB9exXPRkbzpq9.mg9nV2vHZVIjOqKQNvQe"
user.authenticate("nopassword")
# => false
user.authenticate("123456")
# => true
It's important to note that BCrypt hash function can handle maximum 72 characters. It's recommended to validate the length of a given password before creating a record.
The next example uses Scrivener:
class Signup
attr_accessor :username
attr_accessor :password
def validate
assert_present(:username)
assert_length(:password, 8..72)
end
end
signup = Signup.new(params)
if signup.valid?
User.create(signup.attributes)
end
Bcrypt's cost factor
The default cost factor used by BCrypt
is 10
. To change it, use:
SecurePassword.cost = 12
Check "Cost Factors" section for more information.
Testing
bcrypt is designed to be slow to make cracking exponentially difficult. However, tests don't need this security measures. To speed up your tests, you can decrease the default cost factor to the minimum:
require "secure_password/testing"
SecurePassword.cost # => 4
Contributing
Fork the project with:
$ git clone git@github.com:frodsan/secure-password.git
To install dependencies, use:
$ bundle install
To run the test suite, do:
$ rake test
For bug reports and pull requests use GitHub.
License
SecurePassword is released under the MIT License.