votes

An Excuse Not to Roll Your Own Authentication Scheme

Craig Stuntz's Weblog – The Rails 3.1 Release Candidate announcement contained news of many new and useful features, plus these regretful words: has_secure_password: Dead-simple BCrypt-based passwords. Now there’s no excuse not to roll your own authentication scheme. I will briefly provide an excuse. "Simple BCrypt-based passwords" is a reasonable feature, but shouldn’t be mistaken for end-to-end authentication, or even a substantial subset of that problem. Web site authentication in the real world is a far harder problem than salting and hashing a password — which BCrypt does OK, as far as I know. You ...

Favorite? Off-Topic? Craig Stuntz @ 2011-05-26 18:13