Chris Oliver Chris Oliver

Rails Tip: Adding Password Complexity Validations To Devise

Sep 13, 2012

This is a quick tip for adding complexity to Devise passwords. None of this is very special, but I thought it would be good to write about considering there is a lack of documentation on how people would go about implementing this.

Here we have a typical Devise user model. What’s new is the password complexity validation.

class User < ActiveRecord::Base
  devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable
  attr_accessible :email, :password, :password_confirmation, :remember_me,

  validate :password_complexity

  def password_complexity
    if password.present? and not password.match(/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d). /)
      errors.add :password, "must include at least one lowercase letter, one uppercase letter, and one digit"
    end
  end
end

This is exactly like your typical custom validation. The only exception is that it validates the password format only when the password is present. Since the password attribute in a Devise model only exists when you are creating a user, and only when you’re updating a user, you can’t perform this validation every time.

As for the regex, it uses positive look aheads to check for a lowercase letter, uppercase letter, and a digit. Each of those is required for validation. I found this nifty regex on Stack Overflow.

If you’d like some more advanced security, you can use the Devise Security Extension which provides the above functionality and a whole lot more.


Continue reading

Would You Like To Become A Better Programmer? The Importance Of Good User Experience