codahale.com٭blog

bcrypt-ruby: Secure Password Hashing

The Problem

So you remember how Reddit got a backup copy of their database stolen? Do you also remember how, since they stored users’ passwords as plain text, the hacker also got a big list of people’s email addresses and their passwords?

That’s bad. How can you avoid that?

Using bcrypt-ruby

Check out my new gem: bcrypt-ruby.

To install:

sudo gem install bcrypt-ruby

(make sure you have a C compiler and OpenSSL)

To use:

require 'bcrypt'

my_password = BCrypt::Password.create("my password") #=> "$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa"

my_password.version              #=> "2a"
my_password.cost                 #=> 10
my_password == "my password"     #=> true
my_password == "not my password" #=> false

my_password = BCrypt::Password.new("$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa")
my_password == "my password"     #=> true
my_password == "not my password" #=> false

What’s bcrypt?

bcrypt() is the password hashing algorithm used by OpenBSD.

It’s awesome because:

• Developed by The OpenBSD Project specifically for hashing passwords. They don’t screw around with security.
• Salts are automatically generated and managed for you.
• It’s orders of magnitude harder to crack than MD5, SHA2, and other standard hash algorithms.
• It has a cost parameter which allows you to ratchet up the computational expense of checking a password — it can be low for low security situations or high for high security situations.

So don’t get caught with your pants down — be professional.