[tptacek]

"Salt" does nothing to address the primary way passwords have been cracked for the past 20 years, which is with incremental password crackers like Crack, L0phtcrack, and John the Ripper. Your comment about "anything not being used by the NSA" is silly, and misses the point entirely. Most Rails app users will entrust those apps with horribly bad passwords; bcrypt protects those passwords, and "salted SHA256" doesn't.

If you don't understand the problem you're trying to solve with this plugin, why are you promoting it?

[binarylogic]

My comment about "anything not being used by the NSA" is not silly, it's true. Hell the NSA developed the Sha functions. I am not one to take security lightly, and salted Sha256 is not taking security lightly. I am not sure what kind of apps you write, but for 99% of the apps in the world, salted Sha256 is plenty secure. If it was as big of a problem as you said it would be highly discouraged, which it is not. The leading authentication solution in rails uses Sha1. Regardless, if you are extra paranoid, you can use any type of encryption you want with authgasm. So the argument is moot. Lastly, authgasm is not about promoting sha256, its about a style of authentication in rails. The method of encryption is just an option, which is what the crypto_provider option is all about. If you don't understand the subject which you are discussing, why are you discussing it?

I actually looked into bycrypt and it's great. But it would be silly of me to use a linux only encryption solution in a library available to the ruby public.

[tptacek]

It really doesn't sound like you've read any of the other comments in this thread.

[lacker]

No, no, no - just because the NSA developed it does not mean it is the right solution for this problem. Read the comment above explaining fast versus slow hashing.