The family of adaptive hash functions (BCrypt, SCrypt, PBKDF2) is the best choice for password storage today. They have the three properties of password hashing that are desirable. They are one-way, unique, and slow. While a salted SHA or MD5 hash is one-way and unique, preventing rainbow table attacks, they are still lightning fast and attacks on the stored passwords are much more effective. This benchmark demonstrates the effective slowdown that BCrypt provides:

  require "bcrypt"
  require "digest"
  require "benchmark"

  Benchmark.bm(18) do |x|
    x.report("BCrypt (cost = 10:") { 100.times { BCrypt::Password.create("mypass", :cost => 10) } }
    x.report("BCrypt (cost = 4:") { 100.times { BCrypt::Password.create("mypass", :cost => 4) } }
    x.report("Sha512:") { 100.times { Digest::SHA512.hexdigest("mypass") } }
    x.report("Sha1:") { 100.times { Digest::SHA1.hexdigest("mypass") } }
  end

                           user     system      total        real
  BCrypt (cost = 10):  37.360000   0.020000  37.380000 ( 37.558943)
  BCrypt (cost = 4):    0.680000   0.000000   0.680000 (  0.677460)
  Sha512:               0.000000   0.000000   0.000000 (  0.000672)
  Sha1:                 0.000000   0.000000   0.000000 (  0.000454)

You can play around with the cost to get that perfect balance between performance and security. A default cost of 10 is the best place to start.

Decided BCrypt is for you? Just install the bcrypt gem:

  gem install bcrypt

Tell acts_as_authentic to use it:

  acts_as_authentic do |c|
    c.crypto_provider = Authlogic::CryptoProviders::BCrypt
  end

You are good to go!