ruby-string-crypt
ruby-string-crypt is a backwards compatible implementation of String#crypt for Ruby, so that the core String#crypt can be deprecated and later removed.
String#crypt calls crypt(3) or crypt_r(3) for operating system-specific password hashing. In cases where neither crypt(3) nor crypt_r(3) is available, a DES-crypt implementation is used. DES-crypt should be considered insecure, and users are strongly recommended to switch to a secure password hashing library such as bcrypt, scrypt, or argon2.
Usage
# Generate new password hash.
# Salt is an operating system specific string.
password_hash = "password".crypt(salt)
# Check for matching password hash.
# This is insecure as it is vulnerable to a timing attack.
"password".crypt(password_hash) == password_hash
# More secure method of checking for matching password hash
Rack::Utils.secure_compare(password_hash, "password".crypt(password_hash))
Installing the gem
gem install string-crypt
If you want to have the library skip using crypt(3) or crypt_r(3) and force the internal DES-crypt implementation:
STRING_CRYPT_FORCE_MISSING=1 gem install string-crypt
Running the tests
In the repository:
rake test
This requires rake-compiler to compile the library, and minitest for testing.
Reporting issues/bugs
ruby-string-crypt uses GitHub Issues for tracking issues/bugs:
https://github.com/jeremyevans/ruby-string-crypt/issues
Contributing
The source code is on GitHub:
https://github.com/jeremyevans/ruby-string-crypt
To get a copy:
git clone git://github.com/jeremyevans/ruby-string-crypt.git
Platforms Supported
Ruby 2.1+ is supported. This library does not currently offer support for JRuby.
Maintainer
Jeremy Evans <[email protected]>