16

I want to force a user to choose a strong password on registration.

I know, there are many jquery password strength meters out there, and I will most probably use one of them, too. But that does not really enforce anyone to choose a strong password. The registration form must also be useable without js enabled, so one could still potentially register with a weak password.

Accounts must be most secure, because if you are logged in, you can see data of other accounts, which I do not want exposed under any circumstances. So I want to go for maximum security here, therefore I think, it is most important to only allow strong passwords.

So,

How do I set and customize requirements for validating minimum password strength? Only thing I could find in the devise config file is password length. Is there another gem that I should use for this task?

Improve this question

3 Answers 3

Reset to default
14

You can use the Devise Security extension, where you can define a password regexp validation (among other things) and enforce the password strength you want.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Sounds good. I'll give it a try. Though, I haven't seen the regex syntax used in the config file before. (?=...) I see what it does, but I would appreciate a little explanation, what the ?'s mean.
IMHO these tests are too naive; it just wants a number & capital letter. A very long password with no numbers is still secure, but Passw0rd (for example) is a piss poor password (yet still meets these requirements)
@Carpetsmoker is right; trying to do password strength by matching regular expressions is an awful idea.
9

I've recently released a devise gem which uses the zxcvbn library to reject weak passwords:

https://github.com/bitzesty/devise_zxcvbn

Improve this answer

3 Comments

Be warned that this ends up using ExecJS - that's a surprising dependency.
@jamesmoore this was needed as the pure Ruby version of the zxcvbn algorithm wasn't returning the same results as the JS version, we switched so that we could get the same results on the front and the backend.
Interesting - definitely a design tradeoff here. I'd much rather have no js dependency and get slightly different results (and just do it all on the server, so client-side results would be irrelevant), but it makes sense that some people need the opposite.
2

As of this writing (2018), I'd suggest folks consider the newer Devise Security fork before settling on the previously recommended Devise Security extension gem (stale as of v0.10.0 March 2016).

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.