Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to validate password strength with Devise in Ruby on Rails?

I want to force a user to choose a strong password on registration.

I know, there are many jquery password strength meters out there, and I will most probably use one of them, too. But that does not really enforce anyone to choose a strong password. The registration form must also be useable without js enabled, so one could still potentially register with a weak password.

Accounts must be most secure, because if you are logged in, you can see data of other accounts, which I do not want exposed under any circumstances. So I want to go for maximum security here, therefore I think, it is most important to only allow strong passwords.

So,

How do I set and customize requirements for validating minimum password strength? Only thing I could find in the devise config file is password length. Is there another gem that I should use for this task?

like image 960
Conkerchen Avatar asked Jan 20 '13 23:01

Conkerchen


3 Answers

You can use the Devise Security extension, where you can define a password regexp validation (among other things) and enforce the password strength you want.

like image 115
aromero Avatar answered Sep 22 '22 13:09

aromero


I've recently released a devise gem which uses the zxcvbn library to reject weak passwords:

https://github.com/bitzesty/devise_zxcvbn

like image 29
MatthewFord Avatar answered Sep 19 '22 13:09

MatthewFord


As of this writing (2018), I'd suggest other-folk to consider the newer Devise Security fork before settling on the previously recommended Devise Security extension gem (stale as of v0.10.0 March 2016, but still OG AF mang!)

edit: This one looks more recent, but idk.

like image 22
aschyiel Avatar answered Sep 19 '22 13:09

aschyiel