I’ve always wondered about this.

Creating password in database:

> password = 'secret'
> encrypted_password_in_database = BCrypt::Password.create(password)

Comparing password:

> BCrypt::Password.new(encrypted_password_in_database) == 'secret'
=> true

== is actually a method defined in bcrypt-ruby

Devise is comparing it using something like constant-time secure comparison but bcrypt-ruby project decided not to go with that. Read more about it here: