Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: passwords are *hashed*, not "encrypted"
"encrypted" implies *symmetrically (reversibly)* encrypted, using something like AES. e.g. see the other usages of "encrypt" in this security doc: > unencrypted wireless LAN > Rails encrypts cookies by default > For more details on key rotation with encrypted and signed messages > Rails stores secrets in `config/credentials.yml.enc`, which is encrypted and hence cannot be edited directly All of these usages are referring to symmetric encryption. Additionally, all three of the referenced implementations (devise, authlogic, and rails' own has_secure_password), use password _hashing_ not a symmetric encryption. [Authlogic notes this](https://github.com/binarylogic/authlogic/blob/0cdd582ba589d7e57fc6ee7b694ff3b769e76cdc/lib/authlogic/acts_as_authentic/password.rb#L105) > Reversible functions like AES256 are the worst choice, and we no longer support them. Alternatively, I'd be fine with doubling down on the term "digest" if there's a strong preference for that instead of "hash". From my perspective they're synonyms, and equally distinct from "encrypt". Internally the [Rails has_secure_password implementation](https://github.com/rails/rails/blob/83217025a171593547d1268651b446d3533e2019/activemodel/lib/active_model/secure_password.rb#L7) refers to both "hash" and "digest".
- Loading branch information