Version: v0.6.0 - Beta.  We welcome contributors & feedback.  THanks!

Password.hash

hash()

Description

Return a one-way encrypted hash of the user’s password.

This hash is the value that should be stored in the database.

A hash can not be decrypted back into its original plaintext. It is only compared with the hash of another value to see if they match.

This method currently uses the industry-standard bcrypt (Blowfish) hashing algorithm.

SecurityNever compare password hashes with ==, as it is vulnerable to timing attacks. Use the Password.match method instead.

SecurityNever change a password hash to create your own encryption scheme. They are already optimized to have the highest possible entropy. Any additional changes can only make it less secure.

PerformanceThis hashing algorithm is intentionally slow (~60 milliseconds or more) to protect against brute force attacks.

See Also