devise icon indicating copy to clipboard operation
devise copied to clipboard

Published 20 hours ago verified publisher icon heartcombo

Increasing devise's default password length

Open angelamchoi opened this issue 2 years ago • 6 comments
trafficstars

Hi @Carlosantoniodasilva and Devise team!

Currently, Devise's minimum password length is 6 characters long without any strict requirements on uppercase and lowercase, letters and symbols. For example, 123456, would be an acceptable password. I wanted to know if Devise would consider increasing the default password length to 10-12 min. characters long with stronger password requirements such as adding uppercase, lowercase, letters, and/or symbols to ensure all users have a secure password. I have attached an image for more information. I would love to work on this issue.

Please let me know if you have any questions.

Thank you.

image

angelamchoi avatar Apr 27 '23 01:04 angelamchoi

Great call @angelamchoi! @carlosantoniodasilva and Devise team can I open a PR adding some config which essentially does this?

# devise initializer
Devise.setup do |config|
      config.password_length = 8..128
      config.password_require_lower_case = true
      config.password_require_upper_case = true
      config.password_require_special_character = true
      config.password_require_number = true
end

# on devise model
 def password_complexity
    lower_case_regex = /(?=.*[a-z])/
    upper_case_regex = /(?=.*[A-Z])/
    digit_regex = /(?=.*[0-9])/
    special_char_regex = /(?=.*[\W])/

    [
      [lower_case_regex, :no_lowercase],
      [upper_case_regex, :no_uppercase],
      [digit_regex, :no_digit],
      [special_char_regex, :no_special]
    ].each do |regex, error|
      if !password.match?(regex)
        errors.add :password, error
      end
    end
  end

kykyi avatar Aug 27 '24 02:08 kykyi

@kykyi I was just about to build this myself but would love to have an easy way for other users to do the same thing (ex: config.password_require_special_character = true, specifying special character requirements)

Please feel free to put me on the PR so I can take a look 😄

also just nudging this for attention!

jeffreygray avatar Nov 21 '24 22:11 jeffreygray

linking to "How To: Set up simple password complexity requirements" for others like me that might want to tackle this soon

jeffreygray avatar Nov 21 '24 22:11 jeffreygray

@jeffreygray I'll open a PR and tag you in it ✅

kykyi avatar Nov 21 '24 23:11 kykyi

Hey @jeffreygray see above 😄 🙏

kykyi avatar Nov 22 '24 04:11 kykyi

Increasing default length is good. Password complexity no: (e.g. as mentioned in PR: https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Donotusecomplexityrequirements).

Best defence against brute force is some usage of something like Rack::Attack (e.g. fail2ban/allow2ban/throttling) https://github.com/rack/rack-attack

timdiggins avatar Dec 19 '24 16:12 timdiggins