I was surprised by your use of sleep in a controller.  I'd been under the impression that using sleep would put the entire web server to sleep and slow down connections for other users.  After some research it seems this is only true for single threaded servers like WEBrick.  But then I looked up the default server for Heroku, and it's WEBrick.   Do I have my facts right?   Am I correct in assuming that calling sleep in a controller and then using the default Heroku server will slow requests for all users?

 ☒ you are essentially putting a pause on that thread so it is not ideal. However, I think that it must be weighed given the situation with potentially leaking exposing customer emails. This was more of an illustration of one of the things that a developer may not think of that a bad actor may.

I am not sure about Heroku default app servers. I typically would use the Procfile to specify booting up Puma, so that would probably be a non issue. Their documentation does have a recommendation for using Puma as well. https://devcenter.heroku.com/articles/ruby-default-web-server#production-web-server

Good video, would definitely like to see a follow up with password resets implemented and confirmation emails.  Thanks.

Good Videos. Thanks for sharing the potential security flow by looking at the speed of response. Would love a video on list of things a Bad Actor could do to cause harm to your site. 

Also do you have any links or references to learn more whats happening under the hood with the `user.authenticate` method. Also can we change the encryption algorithm from bcrypt to something else? 

The authenticate method is an alias for some meta programming that's going on in the module that is included by has_secure_password.

https://api.rubyonrails.org/classes/ActiveModel/SecurePassword/InstanceMethodsOnActivation.html

  define_method("authenticate_#{attribute}") do |unencrypted_password|
    attribute_digest = public_send("#{attribute}_digest")
    BCrypt::Password.new(attribute_digest).is_password?(unencrypted_password) && self
  end

  alias_method :authenticate, :authenticate_password if attribute == :password

So, it basically just calls BCrypt to check with the method is_password? if they are a match.

 ☒ Gothcha. So if one wants to replace BCrypt with something like Pufferfish2, they should just not include the `has_secure_password` and then just create `authenticate_password`, `password=` method on there own.