I'm not sure of the details of the railscast you're referring to, but a common method for storing passwords is to store an encrypted digest rather than the actual password so that someone accessing your database won't have the actual passwords of your users. The password isn't actually saved. Here's one way that can work:
# models/user.rb
def password= new_password
self.password_digest = ::BCrypt::Password.create(new_password,cost:10).to_s
end
This way, the password_digest is being set before validations so it will pass.