beef with password complexity

[fthobe]

Hey,

I was just curious, why did you give a thumbs down to password complexity on devise?

[salzig]

Partially cause I'm regularly annoyed by very bad password policies. Some examples:

1. "Only Numbers"
   Some German banks have those policies, you really can't help them anymore.

2. more then 8 Chars, but no consecutive repeating chars.
   Just Bullshit. You can have a 32 Char password, but "aaa" as part of password can be ruled out. Effectively reducing the amount of possible passwords.

3. more then 8 Chars, but arbitrary limiting N chars to smaller set of characters.
   Just insane. I would prefer my Users to choose good/long Passphrases/Sentences over any 8-char password with special Chars.

IMHO a more worthy way would be to include something like https://github.com/dropbox/zxcvbn to estimate the "worthiness" of the password.

[salzig]

I don't like the idea of current implementation. Yes, there are situations where checking for specific rules is necessary, but that shouldn't mean everyone has to follow those rules (and adding it as a devise feature maybe triggers this). I can remember well enough that there was an RegEx commonly shared to "validate" email addresses, which didn't allow for "+" chars in the user part. Not fun.

Additionally I don't like to hide away that you could just add a validator. Is it hard for users to add a Password-Attribute validator? If so, make it simpler. If not, keep it that way and help users adding one that fits.

Would it be neat to have a set of password validators for common government enforced rules? Sure, but is this really a Devise Problem?

I still don't feel like "reopening" the discussion on the PR. Maintainers seem to be happy.

[fthobe]

I fully agree, but external standards are external standards, it's not more worrisome to you that everybody with varying skillset cooks their own recipe?

[salzig]

I'm more worried about a bad default that gives a false sense of security and in addition is just cumbersome for users, then I'm worried about bad passwords. Using one Uppercase, one Lowercase, one Number and maybe one Specialchars is a kinda naive approach.

Just as stated here rails/rails#53984 (comment), but I think it can be applied to Devise too.

If Rails was to provide such feature it would need to align with the up-to-date opinions in this area, especially when it comes to default implementation

If there is evidence that too many developers get bitten by the current default, then we should think about forcing configuration from the implementing developer. But not with one default, but a list of known good/accepted variants.

Also, cause I don't think it's good to burden this on devise, it should be done as simple as possible, i.e. by choosing/enabling a validator class.

Linking back to the original PR, maybe someone finds it interesting to read: heartcombo/devise#5727

[fthobe]

We do not agree at all regarding having this or not having this in devise but I really appreciate the time you took to answer everything.

I believe most people are doing this anyway because of external requirements or internal policy (as right or wrong as it might be) and having this inside provides a unified path to do so, which in my opinion is better than el dorado.

Thank you for your comment, we align on the whole approach, we just end up with different conclusions, but I immensely appreciate what you wrote!