Plugin for devise to reject weak passwords, using zxcvbn-js which is a ruby port of zxcvbn: realistic password strength estimation. The user's password will be rejected if the score is below 4 by default. It also uses the email as user input to zxcvbn, to downscore passwords containing the email.
The scores 0, 1, 2, 3 or 4 are given when the estimated crack time (seconds) is less than 10**2, 10**4, 10**6, 10**8, Infinity.
Add this line to your application's Gemfile:
gem 'devise_zxcvbn'
class User < ActiveRecord::Base
devise :zxcvbnable
# Optionally add more weak words to check against:
def weak_words
['mysitename', self.name, self.username]
end
end
A score of less than 3 is not recommended.
# config/initializers/devise.rb
Devise.setup do |config|
config.min_password_score = 4
end
The defaul error message, displays an error:
"not strong enough. It scored %{score}. It must score at least %{min_password_score}."
You can customize this error message modifiying the devise yaml file.
The feedback, crack_time_display, score and min_password_score variables are passed through if you need them.
# config/locales/devise.en.yml
en:
errors:
messages:
weak_password: "not strong enough. Consider adding a number, symbols or more letters to make it stronger."
- Fork it
- Create your feature branch (
git checkout -b my-new-feature) - Commit your changes (
git commit -am 'Add some feature') - Push to the branch (
git push origin my-new-feature) - Create new Pull Request