How disable encrypting password in devise?

How 开发者_开发百科disable encrypting password in devise?

DISCLAIMER: While it certainly is not generally wise to store passwords unencrypted, there could exist cases in which the developer would want to do this. Hopefully the developer is conscientious enough to make sure that in making this generally poor security decision for their app, they are not endangering personal and or identifying info of their users. You might imagine a case where the app's only logged information is user interaction with the system as in some kind of study of user interaction.

tl;dr One can disable encryption in devise by creating a custom encryptor and just having it return the password directly.

I agree with Shingara. You should never store people's passwords in an manner that's recoverable devise stores passwords hashed (not encrypted), they're both unreadable formats, but the difference is that you can't reverse the hashing.

If you're wondering why, this is so that if your site or database gets compromised, the hackers won't be able to steal your users passwords (users have a bad habit of using the same password on almost every site). You don't want to look silly by not hashing passwords, and you've no excuse since it's provided free for you with devise.

The only thing you need to be able to do with a password is authorize a user, which can still be done with a hashed password. You never need to tell users their password if they forget it, instead reset their password to something new (devise supports this too).