Devise: Default password range should be adjusted to comply with NIST standards
Current behavior
# ==> Configuration for :validatable
# Range for password length.
config.password_length = 6..128
Expected behavior
# ==> Configuration for :validatable
# Range for password length.
config.password_length = 8..1000
The minimum value should be 8 characters. The max value should be much higher than 128. Maybe 255? I don't see any reason why you would want to limit users on the max length (perhaps within 1000 characters), especially if they're using 3rd party password generator tools.
I can file a PR with this change depending on what people decide makes the most sense!
lancecarlson
All 3 comments
The password length is configurable, so you can change it to what better fit your needs.
Changing this default now can be a pain for backward compatibility, so I think we should keep as it is today.
tegon
on 28 May 2018
@tegon How is this a pain for backwards compatibility ?? The defaults that are generated would be for NEW users of devise. This just sets a better standard for future users.
lancecarlson
on 7 Jun 2018
@tegon I would like to reopen this issue because I feel strongly enough that leaving it at 6 is irresponsible at this point. Please reconsider. Yes you can change it, but most people won't (especially newbies,). Shouldn't we be guiding users into the best practices?
As an aside I believe bcrypt is no longer favorable either but we can talk about that later...
lancecarlson
on 22 Aug 2019
Related issues
neohunter
·
3Comments
jroggeman
·
3Comments
emn178
·
4Comments
mvz
·
3Comments
JanBussieck
·
3Comments
Most helpful comment
@tegon I would like to reopen this issue because I feel strongly enough that leaving it at 6 is irresponsible at this point. Please reconsider. Yes you can change it, but most people won't (especially newbies,). Shouldn't we be guiding users into the best practices?
As an aside I believe bcrypt is no longer favorable either but we can talk about that later...