I found some code that uses String.crypt to hash passwords (yikes!), so I played around with a way that I could check a password against a BCrypt hash as well as the old String.crypt hashes.
What I found surprised me. The following method seems to work fine for both BCrypt hashes and String.crypt hashes, but I don’t know why:
def check_password(password, stored_hash)
password.crypt(stored_hash) == stored_hash
end
Trying it out:
string_crypt_pass = "mysuperpass".crypt("$1$abasasa")
bcrypt_pass = BCrypt::Password.create("mysuperpass").to_s
check_password("mysuperpass", string_crypt_pass) #true
check_password("mywrongpass", string_crypt_pass) #false
check_password("mysuperpass", bcrypt_pass) #true
check_password("mywrongpass", bcrypt_pass) #false
How does this work?