password_column.rdoc

doc/guides/password_column.rdoc
Last Update: 2020-06-30 15:06:09 -0700

Store password hash in accounts table

By default, Rodauth stores the password hash in a separate account_password_hashes table. This makes it a lot less likely that the password hashes will be leaked, especially if you use Rodauth’s default approach of using database functions for checking the hashes.

However, if you have reasons for storing the password hashes in accounts table that outweigh the security benefits of Rodauth’s default approach, Rodauth supports that.

To do this, add the password hash column to the accounts table:

alter_table :accounts do
  add_column :password_hash, String
end

And then tell Rodauth to use it:

plugin :rodauth do
  enable :login, :logout

  # Use the password_hash column in the accounts table
  account_password_hash_column :password_hash
end