In the words of my software engineering instructor, “Anything that is on the internet is not secure.” Regardless of your multi-step authentication process as a precaution, there are loopholes for everything, and anything can be hacked. Despite our pessimistic outlook on hacking, as web developers we still have to try our best to protect our applications. Just because nothing is secure, does not mean we should give up on security. This brings us to hashing.
Hashing takes in an input, applies a hash function, and gives us an output. This process is nonreversible and extremely hard to reverse engineer without knowing the hash function. For our hashing algorithm, we’ll be using a Ruby gem called bcrypt.
Step one for using bcrypt is adding it to your gemfile and then installing it by running bundle install.
By looking at the official documentation on GitHub, we know the syntax for creating a password is:
my_password = BCrypt::Password.create("my password")
Knowing this, we can change our insecure applications into applications containing secure passwords. First, we need to update our existing schema by replacing password with a bcrypt digested password.
Lastly, we have to tell our model that it has a secure password.The method has_secure_password is given to us by bcrypt and will be used to run our hash function. Whenever a new user is created with a password passed to it, a new password digest will be created and stored in the database. The password initially passed in will still be a “password” and not a “password_digest”.