I want to force a user to choose a strong password on registration.
I know, there are many jquery password strength meters out there, and I will most probably use one of them, too. But that does not really enforce anyone to choose a strong password. The registration form must also be useable without js enabled, so one could still potentially register with a weak password.
Accounts must be most secure, because if you are logged in, you can see data of other accounts, which I do not want exposed under any circumstances. So I want to go for maximum security here, therefore I think, it is most important to only allow strong passwords.
So,
How do I set and customize requirements for validating minimum password strength? Only thing I could find in the devise config file is password length. Is there another gem that I should use for this task?
You can use the Devise Security extension, where you can define a password regexp validation (among other things) and enforce the password strength you want.
I've recently released a devise gem which uses the zxcvbn library to reject weak passwords:
https://github.com/bitzesty/devise_zxcvbn
As of this writing (2018), I'd suggest other-folk to consider the newer Devise Security fork before settling on the previously recommended Devise Security extension gem (stale as of v0.10.0 March 2016, but still OG AF mang!)
edit: This one looks more recent, but idk.
Related
I love the ThoughtBot Clearance gem (https://github.com/thoughtbot/clearance) for Rails authentication. But I'd like to expand my knowledge base in what/how I can make it more-better :)
I've used Devise (https://github.com/heartcombo/devise) in past projects, there's a great extension called "Devise Security Extension" written by Phatworx (https://github.com/phatworx/devise_security_extension) to add some additional features to Devise.
From Devise Security Extension
It is composed of 7 additional Devise modules:
:password_expirable - passwords will expire after a configured time (and will need an update). You will most likely want to use :password_expirable together with the :password_archivable module to prevent the current expired password being reused immediately as the new password.
:secure_validatable - better way to validate a model (email, stronger password validation). Don't use with Devise :validatable module!
:password_archivable - save used passwords in an old_passwords table for history checks (don't be able to use a formerly used password)
:session_limitable - ensures, that there is only one session usable per account at once
:expirable - expires a user account after x days of inactivity (default 90 days)
:security_questionable - as accessible substitution for captchas (security question with captcha fallback)
:paranoid_verification - admin can generate verification code that user needs to fill in otherwise he wont be able to use the application.
I've done a quick search for this but Google didn't seem to come up with anything promising right off the bat. I'll keep digging but if I don't find anything I'll need to consider that I'd have to write something from scratch to extend some of the features like password rotation.
Does anyone know of any good extensions for clearance that have some similar features?
I'm beginner with Rails 5, i would appreciate your help.
I have an user model, where obviously save a password for the user for a possible login.
The thing is i want to set the password automatically based on a text_field called identification_number.
Everything I've read is about doing it with Devise gem, but I'm not using it and also don't want to.
Once again, thanks for your help.
The password field is just another string field called :identification_number for your case.
But, saving password in the DB as plain strings is highly unrecommended.
There are a lot of security issues if you save the passwords as plain strings on your database.
Some of them are that:
You have full access on the passwords of your users
If someone, somehow manages to access your database they will also have full access to the passwords of your users.
In order to avoid these issues, most of the applications save the password strings as encrypted strings with some kind of salt for enhanced entropy.
With a quick google search I found some relevant blog posts that can help you build the password encryption from scratch, such as:
Without using a gem:
https://www.sitepoint.com/rails-userpassword-authentication-from-scratch-part-i/
Using some gems:
http://railscasts.com/episodes/250-authentication-from-scratch?view=asciicast
Apart from that, the password is not an identification_number. I would not use that name. The password is not used to identify the user. The id is most of the time the identification number. Better just call it :password. Also, it does not need to be a text field, it shouldn't be that long.
You can use bcrypt gem for implementing the secure password.
The bcrypt ruby gem provides you with has_secure_password method. The has_secure_password method encrypts passwords by hashing and salting the passwords and generate ‘password_digest’.
you can refer this link for more info
In my Rails app, we use Devise gem for authentication and authorization. But for viewing some of the pages clients want a second password to be entered who will act like super users. This is not an Multi-Factor authentication request, but a kind of One Time Password (OTP) for a given set of pages/resources, just that the OTP will be static.
Devise does not provide this feature. Googling hasn't helped. Any idea how could this be achieved?
This sounds like a bit of an anti-pattern. Why not have an additional field on User that denotes if the user is a super user or not?
This has the benefits that:
there is no password to remember and distribute
super users have one less step to perform
you can easily remove users from this group, if needed
you don't need to build a secondary login form/page
I'm creating a web service with Rails 3.1 that requires authenticated user accounts for creating/managing content. It also requires an authorization scheme for transient 'users' accessing the content - they do not have accounts, but will simply provide a password furnished to them by the user who created the content in their requests.
I'm thinking the best strategy is to keep the two separate, not creating accounts for the transient users, representing them as a separate model associated with the content.
My question is whether this is something I should build from scratch, or whether I can get sufficient leverage from one of the existing authentication gems for it. And if the latter, how I would go about configuring it to manage two different strategies.
If understand right, you will have regular account users and temporary account generated by users to share access to whatever.
I don't think something for this specific purpose exist.
My think using a solid and confortable Auth Manager gem will be require to secure both user and tmp_account access.
The reste, ie managing user-tmp_account relation and managing life time + right of the tmp_account, could be done without pain manually.
I personally build up something similar with the gem Devise.
Turns out I don't really need an authentication gem. While the implementation isn't finished, it appears a combination of Rails 3.1's has_secure_password and CanCan will work well for this.
Here's Ryan Bate's tutorial for using has_secure_password: http://asciicasts.com/episodes/270-authentication-in-rails-3-1
The idea is to use has_secure_password on both the User and Content models, and implement current_user such that it creates a transient User when the password is provided, setting a password property on that transient user.Then the implementation of the init method in CanCan's Ability class will verify the transient user's password against the content in a can block.
How disable encrypting password in devise?
DISCLAIMER: While it certainly is not generally wise to store passwords unencrypted, there could exist cases in which the developer would want to do this. Hopefully the developer is conscientious enough to make sure that in making this generally poor security decision for their app, they are not endangering personal and or identifying info of their users. You might imagine a case where the app's only logged information is user interaction with the system as in some kind of study of user interaction.
tl;dr One can disable encryption in devise by creating a custom encryptor
and just having it return the password directly.
I agree with Shingara. You should never store people's passwords in an manner that's recoverable devise stores passwords hashed (not encrypted), they're both unreadable formats, but the difference is that you can't reverse the hashing.
If you're wondering why, this is so that if your site or database gets compromised, the hackers won't be able to steal your users passwords (users have a bad habit of using the same password on almost every site). You don't want to look silly by not hashing passwords, and you've no excuse since it's provided free for you with devise.
The only thing you need to be able to do with a password is authorize a user, which can still be done with a hashed password. You never need to tell users their password if they forget it, instead reset their password to something new (devise supports this too).