tags:

views:

26

answers:

1
Q: 

What does the "stretches" of database_authenticatable of devise mean?

I see in the config/initializers/devise.rb, there is a configuration called "config.stretches".

# ==> Configuration for :database_authenticatable
# For bcrypt, this is the cost for hashing the password and defaults to 10. If
# using other encryptors, it sets how many times you want the password re-encrypted.

config.stretches = 10

I don't understand what does the stretches mean. It says it is the times I want the password "re-encrypted". Why and we the password will be re-encrypted? And why I should specify a "times"?

+1  A: 

The short answer is that it makes brute force dictionary attacks take longer.

This blog post is written in reasonably plain English, and might give you a better idea of what's going on.

jdl  2010-07-03 05:07:31
@jdl, thanks for your answer. That post is a little difficult for me, that I still not understand, sorry. Why you say it can make the attacks take longer? If I reset it to 100, whhat will happen?
Freewind  2010-07-03 07:01:11
Then it'll require 10x more work to compute your password hashes. The point of this is that it's expensive to generate the password hash. When you just need 1 (like when someone logs in), then no big deal. You won't notice the extra time. You are trying to make it more annoying / impossible for someone to perform a dictionary attack in a reasonable amount of time. They need to generate lots of hashes, so the slower the better (for you, not them).
jdl  2010-07-03 08:02:38
Wikipedia has a decent article on this topic. I don't believe that bcrypt is doing exactly this (I don't understand the bcrypt algorithm to any degree), but the idea is the same. http://en.wikipedia.org/wiki/Key_stretching
jdl  2010-07-03 08:05:47
I know what you mean now. If the stretches is larger, the encrypted password will be harder to decrypt. If someone hacked my database, he could get my encrypted password. If my "stretches" is bigger, it will cost him much more time. But I can't set it a very big value, because when the normal web user logging in, it need to encript the password, that may be cost too much time and cpu. So, if my data is not important, or I believe my server is very safe, that I can set it as 1. Right? Thanks, @jdl
Freewind  2010-07-04 12:28:42
If you leave it at 10, you'll never notice the difference in time.
jdl  2010-07-04 14:56:03

related questions

Is there a rake task for backing up the data in your database?
How to represent cross-model information in MVC?
WYSIWYG editor gem for Rails?
Best Solution For Authentication in Ruby on Rails
Acts-as-readable Rails plugin Issue
Associating source and search keywords with account creation
Any tips on getting Rails to run with an Access back-end?
Being as DRY as possible in a Ruby on Rails App
How Do You Secure database.yml?
What IDE to use for developing in Ruby on Rails on windows?
Is Ruby On Rails ready for the Enterprise?
OpenID authentication in Ruby on Rails
Why Doesn't My Cron Job Work Properly?
Why does sqlite3-ruby-1.2.2 not work on OS X?
Ruby mixins and calling super methods
Why all the Active Record hate?
Haml: how do I set a dymanic class value?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Ruby On Rails with Windows Vista - Best Setup?
What is good forum software to add to an existing Rails application?
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.