Sign in through GitHub

Please read for an updated status on RailsCasts:

Learn more or hide this

Philip Hofstetter's Profile

GitHub User: pilif

Site: http://www.gnegg.ch

Comments by Philip Hofstetter

Avatar

Another thing to keep in mind: Postgres supports functional indexes, i.e index over the output of any arbitrary expression. This means that you can even use indexes when sorting over HSTORE values if you build the right index.

HSTOREs are really powerful tools.

I do hope though, that one day we will get the same versatility in a native JSON column and I think we are on the right track as 9.2 will already have a native JSON type albeit with no functionality aside of validation, but that's up to extension writers to fix.

Avatar

@Chris password_hash can be used because the whole hash output from BCrypt also contains the salt and hash_secret is smart enough to detect that and just use the salt.

In fact, I would not even store the salt in the database any more. It's not needed and just increases the chance of bugs (duplicated storage of state is never a good idea).

@Pawe? what is your reasoning behind sticking to a non-standard and less secure solution? I can see that you might not want to change your existing old code, which is totally fine, but coming here to a tutorial about addition authentication from scratch to new applications, recommending an outdated and non-standard solution of the publicly accepted more secure standard solution seems not too intelligent.