How does salt work in Rails' has_secure_password

13
votes

From what I understand from salting to make an encrypted password more secure, I would generate a random number (the salt) and store it along side the hashed password, in the user record (for example.) I would concatenate the salt with the plaintext password and then encrypt it (hash). The resulting hash would be much more difficult to crack. This process would be repeated to verify the password.

Looking at has_secure_password and bcrypt_ruby (disclosure: I am not a security expert) I don't see how that is done, as the only thing stored in the user record is the hashed password. Where's the salt?

1
ruby-on-railsrubysecuritysalt
See this question Basically, the salt is stored in the same string as the crypted password (that might be over-simplifying, and people with security chops are free to object, but point is that bcrypt is not inherently insecure) - Flambino
The link you provided is perfect, thanks! - pitosalas
possible duplicate of Does has_secure_password use any form of salting? - Ryan Crispin Heneise

1 Answers

8
votes

The password hash and salt are saved in a string column called password_digest in the database. See this question.