This is a relatively recent development for Rails. Lots of major Rails-backed products were developed during the 2.x era and still have salted SHA1 passwords.
"When security code fails, you find out 4 years from now, when a DVD with all your customer’s credit card and CVV2 information starts circulating in Estonia."
Written by some familiar-sounding guy about 6 years back (which, based on the wikipedia timeline, is 7 major Rails releases ago):
