bitzesty / devise_zxcvbn Goto Github PK

Devise plugin to reject weak passwords using zxcvbn

License: MIT License

Ruby 100.00%

devise_zxcvbn's Introduction

devise_zxcvbn

Plugin for devise to reject weak passwords, using zxcvbn-rb which is a ruby port of zxcvbn: realistic password strength estimation.

The user's password will be rejected if the score is below 4 by default. It also uses the email as user input to zxcvbn, to reject passwords containing parts of the email (if using zxcvbn.js on the frontend you should also do this to get the same score).

The scores 0, 1, 2, 3 or 4 are given when the estimated crack time (seconds) is less than 10**2, 10**4, 10**6, 10**8, Infinity.

Installation

Add this line to your application's Gemfile:

gem 'devise_zxcvbn'

Configuration

class User < ActiveRecord::Base
  devise :zxcvbnable

  # Optionally add more weak words to check against:
  def weak_words
    ['mysitename', self.name, self.username]
  end
end

Available methods for devise resources

class User < ApplicationRecord
  devise :zxcvbnable
end

user = User.new.tap do |user|
  user.email = "[email protected]"
  user.password = "123456789"
end

user.password_score => #<OpenStruct password="123456789", guesses=6, guesses_log10=0.7781512503836435, sequence=[{"pattern"=>"dictionary", "i"=>0, "j"=>8, "token"=>"123456789", "matched_word"=>"123456789", "rank"=>5, "dictionary_name"=>"passwords", "reversed"=>false, "l33t"=>false, "base_guesses"=>5, "uppercase_variations"=>1, "l33t_variations"=>1, "guesses"=>5, "guesses_log10"=>0.6989700043360187}], calc_time=15, crack_times_seconds={"online_throttling_100_per_hour"=>216, "online_no_throttling_10_per_second"=>0.6, "offline_slow_hashing_1e4_per_second"=>0.0006, "offline_fast_hashing_1e10_per_second"=>6.0e-10}, crack_times_display={"online_throttling_100_per_hour"=>"4 minutes", "online_no_throttling_10_per_second"=>"less than a second", "offline_slow_hashing_1e4_per_second"=>"less than a second", "offline_fast_hashing_1e10_per_second"=>"less than a second"}, score=0, feedback={"warning"=>"This is a top-10 common password", "suggestions"=>["Add another word or two. Uncommon words are better."]}>
# returns a simple OpenStruct object so than you could send another messages to get more info

user.password_weak? => true/false # returns a boolean result of checking of weakness of your set password

Default parameters

A score of less than 3 is not recommended.

# config/initializers/devise.rb
Devise.setup do |config|
  config.min_password_score = 4
end

Error Message

The default error message:

"not strong enough. It scored %{score}. It must score at least %{min_password_score}."

You can customize this error message modifying the devise YAML file.

The crack_time_display, feedback, score and min_password_score variables are passed through if you need them.

# config/locales/devise.en.yml
en:
  errors:
    messages:
      weak_password: "not strong enough. Consider adding a number, symbols or more letters to make it stronger."

Skipping password complexity validation

To turn off password complexity validation for certain conditions, you could implement a concern (or similar) that overloads skip_password_complexity?:

def skip_password_complexity?
  true
end

Contributing

Fork it
Create your feature branch (git checkout -b my-new-feature)
Add test coverage for the feature, We use rspec for this purpose
Commit your changes (git commit -am 'Add some feature')
Push to the branch (git push origin my-new-feature)
Create new Pull Request

License

About Bit Zesty

devise_zxcvbn is maintained by Bit Zesty Limited. The names and logos for Bit Zesty are trademarks of Bit Zesty Limited.

See our other projects or hire us to design, develop, and support your product or service.

devise_zxcvbn's People

Contributors

Stargazers

Watchers

devise_zxcvbn's Issues

Skip scoring if model has other errors.

It would be better if zxcvbn doesn't append password score related errors, when the model has other validation errors already. For e.g. errors like this Password can't be blank. Password not strong enough. It scored 0. It must score at least 2. doesn't make any sense.

Strategy for dynamic min_password_score

I'd like to have config.min_password_score = 3 but require a higher score of 4 for Users with admin access. Is there a strategy for a User instance to conditionally override min_password_score?

Can't call zxcvbn js function

I'm working on a client-side strength meter but when I attempt to call the zxcvbn function I get a not defined error in the console. If I add //= require zxcvbn to my application.js file I get a

couldn't find file 'zxcvbn' with type 'application/javascript'

error. zxcvbn.js definitely exists in .rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/zxcvbn-js-4.4.3/data. What am I missing?

Allow users to customise the weeks works list

either by skipping it or by specifying another field other than email

undefined method `skip_password_complexity?' for #<User:0x000055564192c1f0>

I'm getting this error after upgrading to latest version.

Version 2.1.2 doesn't work

I recently tried to upgrade from 2.1.1 to 2.1.2, and it no longer seems to work as documented. Unfortunately I haven't had time to look into why :(

rails 4.2.7.1
devise 4.2.0

See owenbendavies/cms#660

Release date? need bug fix pushed

@matthewford, do you have an ETA on releasing the latest updates? The bug that was fixed in #17 is a show-stopper for us. If it is not ready, can you push a patch with just that commit? Thanks!

Release new version

Hey!

Would it be possible to release a new version that's compatible with Ruby 3.0? The code's already there, just need to tag, build and push a release to RubyGems.org.

Thanks!

NoMethodError - undefined method `feedback' for #<Zxcvbn::Score:0x007fb4390a17a8>

When I attempt to create a user account using Devise, I got he following error

NoMethodError - undefined method `feedback' for #<Zxcvbn::Score:0x007fd26cc99ca8>:
  devise_zxcvbn (2.1.2) lib/devise_zxcvbn/model.rb:37:in `zxcvbn_feedback'
  devise_zxcvbn (2.1.2) lib/devise_zxcvbn/model.rb:29:in `i18n_variables'
  devise_zxcvbn (2.1.2) lib/devise_zxcvbn/model.rb:23:in `not_weak_password'

The app use:
Rails 5.0.1
ruby 2.3.1p112
'devise', '~> 4.2'
'devise_zxcvbn' and
gem 'zxcvbn-ruby', require: 'zxcvbn'

Inside User.rb

devise :database_authenticatable, :registerable,
         :recoverable, :rememberable, :trackable, :validatable, :confirmable, :lockable, :zxcvbnable

You can see the whole log here
https://gist.github.com/AhmedNadar/afc096648d59897089bf3047275676f0

Within better error shell i got this:

>> @pass_score
=> #<Zxcvbn::Score:0x007fd6660aba60 
@entropy=14.288, @crack_time=1.0, @crack_time_display="instant", @score=0, 
@match_sequence=[#<Zxcvbn::Match matched_word="username11", token="username11", i=0, j=9, rank=2, pattern="dictionary", dictionary_name="user_inputs", base_entropy=1.0, uppercase_entropy=0.0, l33t_entropy=0, entropy=1.0>, #<Zxcvbn::Match i=10, j=13, token="1234", pattern="digits", entropy=13.28771237954945>], 
@password="paasswoord1234", @calc_time=0.005371412000386044>

Any idea what could cause that error?
Thanks!

Doesn't seem to work with Rails 5 & Devise 4.2

This doesn't seem to work for Rails 5.0.0 and Devise 4.2.0 - it looks as if the code isn't called at all. I've not had time to dig into it, I just bypassed the problem with my own validation, similar to this: https://github.com/plataformatec/devise/wiki/How-To:-Set-up-simple-password-complexity-requirements.

Error

wrong number of arguments (given 3, expected 1..2)

I am getting this error on a vanilla rails 6 application with devise + devise_zxcvbn extension.

This seems to be a change from rails 6 to 6.1.
rails/rails#41270

Force old users

With the extension zxcvbn, is there any way to force old users to change their password when they connects for the first time after changing?

Thank you!

NoMethodError (undefined method `password_required?' for #<User:0x007f9b8610d500>)

with the gem enabled, when trying to update an already existing user, i get the following error:

NoMethodError (undefined method `password_required?' for #<User:0x007f9b8610d500>):
  app/controllers/users_controller.rb:51:in `update'

The corresponding method is:

  def update
    params[:user].delete(:roles) unless current_user.company_admin?
    I18n.locale = params[:user][:lang]
    @company = @user.company

    if params["user"]["allowed_event_types"]
      params["user"]["allowed_event_types"] = params["user"]["allowed_event_types"].reject(&:blank?)
    end

    if @user.update_attributes(params[:user])
      #After user changed password we need to update his credentials
      sign_in(@user, bypass: true) unless params[:user][:password].blank?
      session[:lang] = @user.lang
      flash[:notice] = t('flash.user.update.successful')
      EventsCreator::User.new(@user, current_user, :update).call
    else
      flash[:error] = error_messages("5109", @user)
    end
    redirect_to my_profile_path
  end

When I remove this gem, it all works well.

Any ideas on what could be causing this?

Update README

Just a small thing: the README still references password_sample when I believe it should be referencing feedback in the translations file section.

Please release a new version

Hey!
Thanks for the nice gem.

Do you have any plans to release a new version with conditional method check_password_complexity?

It looks like the current one on rubygems (4.4.1) uses password_requires?
It would be nice to have a new version with this change: f59207d

Thanks in advance!

Discrepancies in scores between this gem and the original Dropbox module

Hi,

I am using this gem in conjunction with the original JS zxcvbn, which is useful for the front-end of my web app.

The problem is I often see different scores for the same passwords, which is strange considering the ruby one is a port of the JS one. For example:

Ruby:
Zxcvbn.test('qwER43@!').score => 1
JS:
zxcvbn('qwER43@!').score => 2

Ruby:
Zxcvbn.test('Obama!123').score => 1
JS:
zxcvbn('Obama!123'').score => 3

It seems the JS one is more lenient than the Ruby one.
Is anyone familiar with these differences? Am I doing something wrong here?

Thanks,
Michael

ExecJS::ProgramError

Hello,
I'm using a sidekiq job to generate a temp password. But quite often I get ExecJS::ProgramError: ExecJS::ProgramError error while checking the strength of generated password. The error message is not very informative, but I guess the devise_zxcvbn / zxcvbn-js causes it.

Any ideas what could be wrong?

devise_zxcvbn (2.1.1)
  zxcvbn-js (~> 4.2.0)

def weak_password?(password)
  Devise.zxcvbn_tester.test(password, []).score < Devise.min_password_score
end

ExecJS.runtime.name #=> "therubyracer (V8)"

Feedback formatting

I noticed that the feedback that's passed in to the Devise translation sometimes has a trailing period and sometimes does not. This appears to be due to the fact that sometimes we return a sentence and sometimes we use join(". ")—in the latter case the last item won't have a trailing period.

One quick fix would be to either remove the trailing period from line 44, or add one to line 46. But I'm also wondering if this change could instead use newlines instead of periods, as that appears to be what the default Rails/Devise behavior is for other password validations. Does that make sense?