I’ve always wondered about this.
Creating password in database:
> password = 'secret' > encrypted_password_in_database = BCrypt::Password.create(password)
> BCrypt::Password.new(encrypted_password_in_database) == 'secret' => true
== is actually a method defined in bcrypt-ruby
Devise is comparing it using something like constant-time secure comparison but bcrypt-ruby project decided not to go with that. Read more about it here: