Introduce config to allow for password complexity #5727
Conversation
kykyi
force-pushed
the
feautre/provide-config-options-for-password-complexity
branch
from
7fd350f to
98a037a
Compare
to be validated in :validatable with lower case, upper case, numbers, and configurable special character presence to be validated on.
kykyi
force-pushed
the
feautre/provide-config-options-for-password-complexity
branch
from
98a037a to
a6301cc
Compare
|
Hey @nashby if I could please request a review 😄 |
lib/devise.rb
Outdated
| # Validate presence of lower case letter in password | ||
| mattr_accessor :password_requires_lowercase | ||
| @@password_requires_lowercase = false | ||
|
|
||
| # Validate presence of upper case letter in password | ||
| mattr_accessor :password_requires_uppercase | ||
| @@password_requires_uppercase = false | ||
|
|
||
| # Validate presence of special character in password | ||
| mattr_accessor :password_requires_special_character | ||
| @@password_requires_special_character = false | ||
|
|
||
| # Special character options | ||
| mattr_accessor :password_special_characters | ||
| @@password_special_characters = "!?@#$%^&*()_+-=[]{}|:;<>,./" | ||
|
|
||
| # Validate presence of a number in password | ||
| mattr_accessor :password_requires_number | ||
| @@password_requires_number = false | ||
|
|
There was a problem hiding this comment.
I wonder if there could be some more general config like:
@@require_complex_password = falseWhich if true would require all of these individual pieces?
So the validations could become:
validates_format_of :password, with: /\p{Upper}/, if: -> { password_requires_uppercase || require_complex_password }, message: :must_contain_uppercase
|
Polite bump @nashby @carlosantoniodasilva 😇 |
|
how about modify the following configurations in the initializer file as below? config.password_complexity = {
upper: 1, # At least 1 uppercase letter
lower: 2, # At least 2 lowercase letters
digit: 3, # At least 3 digits
special: 4, # At least 4 special characters
} |
Thanks @datpmt seems like an elegant solution ✅ One issue which I could see arise however could be a clash between this and password length minimums? For ex, if you set the above, but stuck with the default 8 character minimum, you couldn't satisfy all the configured preferences. I think something like this could use your nicer syntax but also be more ergonomic with the wider validation system: config.password_complexity = {
upper: true, # require upper
lower: false, # don't require lower
digit: true, # require digit
special: true, # require special character
special_characters: ["!", "?", "@", "\"]
}What do you think? |
config.password_complexity = {
upper: true, # require upper
lower: false, # don't require lower
digit: true, # require digit
# special: true, # redundant
special_characters: ["!", "?", "@", "\"] # empty <=> special: false
}@kykyi Ah I see. Cool! Let do it! 👍 |
|
@datpmt updated to use your dict style ✅ |
test/models/validatable_test.rb
Outdated
| @@ -1,10 +1,9 @@ | |||
| # encoding: UTF-8 | |||
| # frozen_string_literal: true | |||
|
|
|||
| require 'test_helper' | |||
| require "test_helper" | |||
There was a problem hiding this comment.
| require "test_helper" | |
| require 'test_helper' |
Prefer single-quoted strings when you don't need string interpolation or special symbols.
References: rubocop
test/models/validatable_test.rb
Outdated
| def with_password_requirement(requirement, value) | ||
| # Change the password requirement and restore it after the block is executed | ||
| original_password_complexity= User.public_send("password_complexity") | ||
| original_value = original_password_complexity[requirement] |
There was a problem hiding this comment.
Useless assignment to variable - original_value.
test/models/validatable_test.rb
Outdated
|
|
||
| class ValidatableTest < ActiveSupport::TestCase | ||
| test 'should require email to be set' do | ||
| test 'should require email to be set' do |
There was a problem hiding this comment.
| test 'should require email to be set' do | |
| test 'should require email to be set' do |
remove redundant space
kykyi
force-pushed
the
feautre/provide-config-options-for-password-complexity
branch
from
36e5f42 to
776a657
Compare
|
Sorry for stirring the pot but I wanted to cross-post an opinion that presence of upper-cased letters, special characters and numbers has very little to do with password strength and what really contributes to the password strength is the length of the password. I'm genuinely worried that enforcing these password requirements from default will only contribute to poor user experience and potentially less secure passwords overall More context - rails/rails#53984 (comment) Upd: I overlooked the fact that all these requirements are disabled by default which is good. So perhaps it's still useful for applications that have to comply with regulations that are out of their control. I just don't think that setting these requirements should be encouraged |
|
Agreed @nvasilevski I think whilst this change pushes users to increase the entropy of their passwords, setting these and forgetting could lead devs into a false sense of security ➕ |
|
I agree with @nvasilevski - here's a specific argument against complexity requirements from the UK's National Cyber Security Centre: https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Donotusecomplexityrequirements Recommend closure of the issue for Devise |
|
Picking up on a friendly invitation @nvasilevski given here I do not believe that what you write is wrong, the contrary, I believe some very valid points have been made. I am, as probably also you, sure that we are going towards a mixture of MFA and / or passwordless login and that's overall a good thing, but the environments around us are frequently not there yet. The problem is the world:
I would also mention that the Password Guidance of the NCSC that you linked is not the only opinion and as much as I love the UK, this guideline is derived from NIST. The reasoning behind it was that statistics had shown that strong requirements create weaker user generated passwords: But all of there guidance needs to be seen in context of the remaining document that advises also:
I think @kykyi made a great PR covering everything from configurability to effective resolution of the issue, maybe you could give it a look with different eyes (fearing weak integrations instead of fearing false sense of security) and we add some lines into documentation to make this a better PR covering also that the entire UTF-8 character set is only as great as the password length. I'd really appreciate a feedback from you guys on this and I really appreciate what you are doing here, just keep in mind that stuff like NIST / NCSC guidelines are forward looking and not backward looking and need to be seen in context of the entire document. In a perfect world we would all have a password manager and OTP token for every password, but well, we all have grandmothers / fathers and parents having issues remembering 5 letters, alfanumeric or not, struggling to use a password manager. Given what devise is, it should have everything on board to make an informed decision on this topic and implement it. |
|
Thanks for the perspective and for weighing in @fthobe 🙏 . I'll reopen and wait for a maintainer to merge/comment/close just so the issue can be resolved 😄 |
Actually @nvasilevski did not obligate you to close it, sometimes things need some time to get traction and sometimes topics move in waves. Be patient, open source is neither fast nor democratic 😅 |
|
@timdiggins Hey, I would be super interested in your oppinion on my comment :) |
|
Ping @nvasilevski @datpmt @timdiggins Could you retake a look at this PR and the comments made above. |
First of all, I completely agree that the length of a password significantly impacts its strength. In fact, many websites and company security policies require users to apply complexity rules to their passwords. This means that web applications using I believe |
@datpmt Is this PR for you acceptable or does it need additional work? |
|
@fthobe Im not a maintainer/committee here so my 10c isn't worth so much 😀 A pragmatic response: My sense is that there isn't much maintainer involvement and devise is going into decline - there are CI-fix and bug fix PRs that have had no maintainer involvement so I don't think there's feature development will gain any traction. |
|
@timdiggins a lot of stuff still relies on it so we need to work with what we have. I honestly think it's a very mature product. Anyhow I'd really appreciate your opinion. @carlosantoniodasilva does this PR have a shot to be integrated? |
I will take the time to run it locally and provide a review as soon as possible. |
|
@kykyi you should also put some thought in documentation. |
Unless you meant that these applications are obligated to enforce such policy by a law that is out of their control I don't find this argument to be strong. Many applications make poor engineering and design decisions, including choosing unnecessary password/email validations. It shouldn't be a reason for libraries and frameworks to accommodate these poor choices. Having said that,
These are strong arguments in favor of having this feature added as an optional one. There is little developers can do when it comes to complying with the law. And having a shared implementation in such cases is a huge win. I was coming from Rails perspective where the feature would become the only implementation of a "strong password" concept making it look like the only correct way to do strong passwords. Here proposal is different, it's an option that isn't enabled by default so I have nothing of a substance to say against. I just hope that applications won't reach for this feature without absolute necessity and let me use my long, secure, easy to remember and easy to type passwords. |
|
Hey @nvasilevski
Man, to be honest, it's a mess. It should be everybody's choice guided by strong conventions how to do it (which means here) and that's why I am pushing for it. Also I believe it's not good to run for anything to a separate gem, this is really low hanging fruit and could be done with relatively little effort here and thanks to @kykyi we are half the way there :) |
|
@datpmt i have some time on Wednesday to test this with spree and solidus. Is there anything I should be particularly attentive off? |
@fthobe You need to pay attention to the |
…ly a special character is required
|
@kykyi also given the small amount of files involved you could consider to squash the commits as "merge..." is not a great commit Name for clarity. |
In relation to #5591
This PR introduces application config to allow for password complexity to be granularly managed with new validation options for:
These are all
falseby default, and configurable like:Note