Why BCrypt Gem?
It doesn’t matter if you are a beginner or an experienced Rails developer. If you plan to have users register, sign in to your application, or store passwords that should be secure and not shared with the public, a gem should come to mind. Can you guess which? That’s correct, bcrypt! Why bcrypt, you ask? Well, why not. Before explaining the why, let’s go over the what.
What is bcrypt?
Quick history lesson free of charge! BCrypt is a hashing algorithm designed by Niels Provos and David Mazières of the OpenBSD Project in 1999. From wiki, the B in BCrypt stands for —
Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date.
In cybersecurity, bcrypt is a password hashing function that aims for slowness and does not allow any shortcut. As a developer, the word slow normally isn’t a good thing. The faster the application, the better right? However, in this case, slow is ideal and not noticeable by a user. Honestly, the user will appreciate your efforts in trying to secure their personal information. It takes more effort to brute force attack the password. The slower the algorithm, the fewer the guesses that can be made per second, and increases difficulty when cracking the password. Ruby offers a gem, bcrypt, that does just that and is provided in your Gemfile but is commented out until needed.
Curious how bcrypt works?
Pretend bcrypt is a chef behind the scenes to your application. Bcrypt (chef) salts your meal (password) and serves you a uniquely different meal (password). Isn’t too much salt bad for your health? Only pretend I said. I’m not talking about the salt that will cause bloating, server thirst, or raise blood pressure.
Imagine your website is breached, or worse, a client’s site is breached, storing valuable personal information of hundreds of thousands of people. It’s your responsibility as a web developer to make your web application secure. Wouldn’t you want a way to store important information like login or banking account passwords safely? Enough pretending, in cryptography, a salt is random data that is used as an additional input to a one-way function that hashes data, a password, or passphrase. Salts are used for safeguarding passwords in storage by adding a string of between 32 or more characters to a password and then hashing it. When a password has been hashed along with the added string gets randomized and stored. In return, the original copy of the password (important data) is never actually stored in your application.
Here would be where I explain the why. But by this point, it should be clear why you should be using bcrypt unless you don’t plan on storing anything important or would like to share your’s and other people's information with hackers. It would be best to think bcrypt or an alternative to hardening your web application's security.
__More information__
