[kaens]

I wasn't necessarily saying you should rip anything out of your system. I haven't examined it, nor am I an expert on security (encryption, particularly is a rather complicated area filled with implementations with very subtle flaws, possibly undiscovered).

I wasn't trying to come of as critical of you, although I can see how my post could be read that way - I was just making the point that homegrown stuff in this area has a notorious reputation for being unreliable.

I would argue that if using bcrypt makes your passwords harder to crack than using SHA256, there isn't much of a reason to keep using SHA256 - salted or not - regardless of how hard SHA256 is to crack.

And yes, 90% of the time, authentication / password storage schemes exist for whatever framework or platform that you're using that have been thoroughly tested by people who probably know their stuff better than you or I - and, from a security standpoint, it's probably better to use their scheme as opposed to writing one yourself.

[jonny_noog]

I can see where you're coming from. And trust me, I'm keenly aware that there are many people who have a better understanding of this and other issues than I do. This is the main reason why I'm using a framework to begin with.

However, as far as I can tell, none of the ready made authentication/password storage schemes for Rails use bcrypt in a cross-platform way, if they did I'd switch over. Where does that leave us? You can take that as a rhetorical question if you like.

[kaens]

That is a tough spot. I don't use RoR, so I can't offer much advice other than opening a ticket on your preferred methods bug tracker, or creating a patch - assuming they're open source and you're willing / able to do so.