Wouldn't this make gems like Devise irrelevant?

michaelfairley · on April 16, 2011

This still doesn't handle email verification, multiple roles, remember me tokens, and a slew of other features Devise offers.

This is really just some Rails sugar around bcrypt-ruby.

swaits · on April 17, 2011

Which wasn't that hard to use unsugared. This move also signals to the community that bcrypt is considered a best practice, important enough that it's included by default. Rails benefits from this.

there · on April 17, 2011

This move also signals to the community that bcrypt is considered a best practice, important enough that it's included by default.

bcrypt has been considered a best practice for quite a while. it's been openbsd's default password hashing scheme since 1997, and used in a number of php projects like drupal, phpbb, and wordpress for many years.

swaits · on April 17, 2011

Yup. That hasn't stopped hordes of devs from doing stupid things with passwords. My point is that now, at least for Rails, bcrypt is harder to ignore. And that's a good thing.

priv_acy · on April 17, 2011

I hope so. It's a real pain to switch gems when the auth of the week is left for dead.

zmanji · on April 17, 2011

Agreed. Switching authentication gems is incredibly painful. Sometimes I think the best solution is to use the "low-level" gems like warden and always craft an authentication system myself.

moe · on April 17, 2011

That reminds me, which is the auth gem of the week currently, Devise?

ludicast · on April 18, 2011

Devise is excellent. Jose Valim's gems tend to become standards pretty quickly.

riffraff · on April 17, 2011

for large values of "week", the railscast for devise is more than year old, and it had already gained quite a lot of mind share by then

oscardelben · on April 17, 2011

Devise with omniauth if you want multiple logins