-
Notifications
You must be signed in to change notification settings - Fork 5.5k
How To: Set up simple password complexity requirements
Juan Manuel Furattini edited this page Jan 31, 2019
·
13 revisions
Best solution would be so use a 3rd party library like strong_password that tries to comply with NIST requirements:
https://github.com/bdmac/strong_password
June 2016:
Here is a simple method of adding a password strength / complexity requirement to devise without using devise security extension (using extension is recommended.)
Example: add the following line to user.rb in app/models directory. Edit Regex to your liking
validate :password_complexity
def password_complexity
# Regexp extracted from https://stackoverflow.com/questions/19605150/regex-for-password-must-contain-at-least-eight-characters-at-least-one-number-a
return if password.blank? || password =~ /^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^&*-]).{8,70}$/
errors.add :password, 'Complexity requirement not met. Length should be 8-70 characters and include: 1 uppercase, 1 lowercase, 1 digit and 1 special character'
end
Afterwards, password created by the user, admin must meet the regex requirements.
if the password length is checked by another method, this suits better:
def password_complexity
# Regexp extracted from https://stackoverflow.com/questions/19605150/regex-for-password-must-contain-at-least-eight-characters-at-least-one-number-a
return if password.blank? || password =~ /(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^&*-])/
errors.add :password, 'Complexity requirement not met. Please use: 1 uppercase, 1 lowercase, 1 digit and 1 special character'
end