Add salt in user password to make more scure?

For now, using the feature: rails g authenticationin rails 8

if we create two users with the same one password, then password_digest is same too. I suppose should add salt(which generate random by bcrypt) to make password more scure.

I think we can learn from here

Have you included the bcrypt gem? It should be generating a salt each time and storing that in the field. See this StackOverflow answer for how that works.

yes, bcrypt already salt the password by default.

At the beginning, I habitually think that there must br a independent field of salt in table of user. later I found that both password hash and password salt already saved in just one field which is password_digest.

and I found the entire process is:

  1. find the user by email_address
  2. extract the salt by the user.password_digest.salt
  3. calculate digest of the salt and params[:password]
  4. compare the digest and password_digest in db

Any way, thank you so much on this

@ElbertDue I have to prove you wrong on that

class User < ApplicationRecord
  has_secure_password
  has_many :sessions, dependent: :destroy

  normalizes :email_address, with: ->(value) { value.strip.downcase }
end
$ rails c
Loading development environment (Rails 8.0.1)
app(dev)> u1 = User.new(email_address: "john@doe.tld", password: "password")
=> #<User:0x0000ffff8b10fc58 id: nil, email_address: "[FILTERED]", password_digest: "[FILTERED]", created_at: nil, updated_at: nil>
app(dev)> u1.password_digest
=> "$2a$12$eYqyYQ.b5jZ79MJ8Y6u4T.Yu7Z90TzEyYPZ2LXRp7ezcESFTXca0W"
app(dev)> u2 = User.new(email_address: "jane@doe.tld", password: "password")
=> #<User:0x0000ffff8b059250 id: nil, email_address: "[FILTERED]", password_digest: "[FILTERED]", created_at: nil, updated_at: nil>
app(dev)> u2.password_digest
=> "$2a$12$Pl1vN7L7t3ZbK8W/e15tHeLKYEN8OGkPu.dqSve7fhU3ezxb7lt.2"
app(dev)> u1.password_digest === u2.password_digest
=> false
1 Like