Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What does the "stretches" of database_authenticatable of devise mean?

I see in the config/initializers/devise.rb, there is a configuration called "config.stretches".

# ==> Configuration for :database_authenticatable
# For bcrypt, this is the cost for hashing the password and defaults to 10. If
# using other encryptors, it sets how many times you want the password re-encrypted.

config.stretches = 10

I don't understand what does the stretches mean. It says it is the times I want the password "re-encrypted". Why and we the password will be re-encrypted? And why I should specify a "times"?

like image 406
Freewind Avatar asked Jul 03 '10 04:07

Freewind


2 Answers

The short answer is that it makes brute force dictionary attacks take longer.

This blog post is written in reasonably plain English, and might give you a better idea of what's going on.

like image 138
jdl Avatar answered Oct 28 '22 13:10

jdl


Though @jdl answer has been accepted but it really isn't in a plain English or in the one I'd understand any better. This link helped me better understand about stretches

This will increase performance dramatically if you use bcrypt and create a lot of users (e.g. if you use Factory Bot or Machinist). Key stretching is a method of improving the security of passwords at the expense of speed.

For deeper understanding you can checkout key stretching on wiki

like image 33
Anumit Kaur Avatar answered Oct 28 '22 14:10

Anumit Kaur