Introduce config to allow for password complexity #5727
Conversation
kykyi
force-pushed
the
feautre/provide-config-options-for-password-complexity
branch
from
7fd350f to
98a037a
Compare
to be validated in :validatable with lower case, upper case, numbers, and configurable special character presence to be validated on.
kykyi
force-pushed
the
feautre/provide-config-options-for-password-complexity
branch
from
98a037a to
a6301cc
Compare
|
Hey @nashby if I could please request a review 😄 |
lib/devise.rb
Outdated
| # Validate presence of lower case letter in password | ||
| mattr_accessor :password_requires_lowercase | ||
| @@password_requires_lowercase = false | ||
|
|
||
| # Validate presence of upper case letter in password | ||
| mattr_accessor :password_requires_uppercase | ||
| @@password_requires_uppercase = false | ||
|
|
||
| # Validate presence of special character in password | ||
| mattr_accessor :password_requires_special_character | ||
| @@password_requires_special_character = false | ||
|
|
||
| # Special character options | ||
| mattr_accessor :password_special_characters | ||
| @@password_special_characters = "!?@#$%^&*()_+-=[]{}|:;<>,./" | ||
|
|
||
| # Validate presence of a number in password | ||
| mattr_accessor :password_requires_number | ||
| @@password_requires_number = false | ||
|
|
There was a problem hiding this comment.
I wonder if there could be some more general config like:
@@require_complex_password = falseWhich if true would require all of these individual pieces?
So the validations could become:
validates_format_of :password, with: /\p{Upper}/, if: -> { password_requires_uppercase || require_complex_password }, message: :must_contain_uppercase
|
Polite bump @nashby @carlosantoniodasilva 😇 |
|
how about modify the following configurations in the initializer file as below? config.password_complexity = {
upper: 1, # At least 1 uppercase letter
lower: 2, # At least 2 lowercase letters
digit: 3, # At least 3 digits
special: 4, # At least 4 special characters
} |
Thanks @datpmt seems like an elegant solution ✅ One issue which I could see arise however could be a clash between this and password length minimums? For ex, if you set the above, but stuck with the default 8 character minimum, you couldn't satisfy all the configured preferences. I think something like this could use your nicer syntax but also be more ergonomic with the wider validation system: config.password_complexity = {
upper: true, # require upper
lower: false, # don't require lower
digit: true, # require digit
special: true, # require special character
special_characters: ["!", "?", "@", "\"]
}What do you think? |
config.password_complexity = {
upper: true, # require upper
lower: false, # don't require lower
digit: true, # require digit
# special: true, # redundant
special_characters: ["!", "?", "@", "\"] # empty <=> special: false
}@kykyi Ah I see. Cool! Let do it! 👍 |
|
@datpmt updated to use your dict style ✅ |
test/models/validatable_test.rb
Outdated
| @@ -1,10 +1,9 @@ | |||
| # encoding: UTF-8 | |||
| # frozen_string_literal: true | |||
|
|
|||
| require 'test_helper' | |||
| require "test_helper" | |||
There was a problem hiding this comment.
| require "test_helper" | |
| require 'test_helper' |
Prefer single-quoted strings when you don't need string interpolation or special symbols.
References: rubocop
test/models/validatable_test.rb
Outdated
| def with_password_requirement(requirement, value) | ||
| # Change the password requirement and restore it after the block is executed | ||
| original_password_complexity= User.public_send("password_complexity") | ||
| original_value = original_password_complexity[requirement] |
There was a problem hiding this comment.
Useless assignment to variable - original_value.
test/models/validatable_test.rb
Outdated
|
|
||
| class ValidatableTest < ActiveSupport::TestCase | ||
| test 'should require email to be set' do | ||
| test 'should require email to be set' do |
There was a problem hiding this comment.
| test 'should require email to be set' do | |
| test 'should require email to be set' do |
remove redundant space
kykyi
force-pushed
the
feautre/provide-config-options-for-password-complexity
branch
from
36e5f42 to
776a657
Compare
|
Sorry for stirring the pot but I wanted to cross-post an opinion that presence of upper-cased letters, special characters and numbers has very little to do with password strength and what really contributes to the password strength is the length of the password. I'm genuinely worried that enforcing these password requirements from default will only contribute to poor user experience and potentially less secure passwords overall More context - rails/rails#53984 (comment) Upd: I overlooked the fact that all these requirements are disabled by default which is good. So perhaps it's still useful for applications that have to comply with regulations that are out of their control. I just don't think that setting these requirements should be encouraged |
|
Agreed @nvasilevski I think whilst this change pushes users to increase the entropy of their passwords, setting these and forgetting could lead devs into a false sense of security ➕ |
|
I agree with @nvasilevski - here's a specific argument against complexity requirements from the UK's National Cyber Security Centre: https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Donotusecomplexityrequirements Recommend closure of the issue for Devise |
|
Picking up on a friendly invitation @nvasilevski given here I do not believe that what you write is wrong, the contrary, I believe some very valid points have been made. I am, as probably also you, sure that we are going towards a mixture of MFA and / or passwordless login and that's overall a good thing, but the environments around us are frequently not there yet. The problem is the world:
I would also mention that the Password Guidance of the NCSC that you linked is not the only opinion and as much as I love the UK, this guideline is derived from NIST. The reasoning behind it was that statistics had shown that strong requirements create weaker user generated passwords: But all of there guidance needs to be seen in context of the remaining document that advises also:
I think @kykyi made a great PR covering everything from configurability to effective resolution of the issue, maybe you could give it a look with different eyes (fearing weak integrations instead of fearing false sense of security) and we add some lines into documentation to make this a better PR covering also that the entire UTF-8 character set is only as great as the password length. I'd really appreciate a feedback from you guys on this and I really appreciate what you are doing here, just keep in mind that stuff like NIST / NCSC guidelines are forward looking and not backward looking and need to be seen in context of the entire document. In a perfect world we would all have a password manager and OTP token for every password, but well, we all have grandmothers / fathers and parents having issues remembering 5 letters, alfanumeric or not, struggling to use a password manager. Given what devise is, it should have everything on board to make an informed decision on this topic and implement it. |
|
Thanks for the perspective and for weighing in @fthobe 🙏 . I'll reopen and wait for a maintainer to merge/comment/close just so the issue can be resolved 😄 |
Actually @nvasilevski did not obligate you to close it, sometimes things need some time to get traction and sometimes topics move in waves. Be patient, open source is neither fast nor democratic 😅 |
|
@timdiggins Hey, I would be super interested in your oppinion on my comment :) |
In relation to #5591
This PR introduces application config to allow for password complexity to granularly managed with new validation options for:
These are all
falseby default, and configurable like:Note