has_secure_password is not an "auth module". That's simply a handy function to handle a password attribute... which an actual auth module can make use of if it desired.

My mistake. :) was that added in 5?

Am I reading that right or is it just comparing an unencrypted string to the encrypted version?

It was added in 3.1 (http://guides.rubyonrails.org/3_1_release_notes.html) and uses bcrypt under the hood.