You are correct — the DB is only saving the hashed password, not the password itself. You can confirm this by accessing the database directly using the read_attribute
method (http://www.rubydoc.info/docs/rails/3.0.0/ActiveRecord/AttributeMethods/Read):
> u = User.new …
> u.read_attribute(:password_digest)
=> # Some hash
> u.read_attribute(:password)
=> nil
Incidentally, also make sure your User
model does not have a password
column. Otherwise it would save the password
directly, defeating the purpose of hashing the password.