Devise plugin to reject weak passwords using zxcvbn
Switch branches/tags
Clone or download
matthewford Merge pull request #28 from bitzesty/improvements
Improving specs and some refactoring.

Can no longer call password_score with a string - it expects that the object will respond to the password method
Latest commit 3b68889 Sep 19, 2017


Gem Version Circle CI Code Climate

Plugin for devise to reject weak passwords, using zxcvbn-js which is a ruby port of zxcvbn: realistic password strength estimation.

The user's password will be rejected if the score is below 4 by default. It also uses the email as user input to zxcvbn, to reject passwords containing parts of the email (if using zxcvbn.js on the frontend you should also do this to get the same score).

The scores 0, 1, 2, 3 or 4 are given when the estimated crack time (seconds) is less than 10**2, 10**4, 10**6, 10**8, Infinity.


Add this line to your application's Gemfile:

gem 'devise_zxcvbn'


class User < ActiveRecord::Base
  devise :zxcvbnable

  # Optionally add more weak words to check against:
  def weak_words
    ['mysitename',, self.username]

Available methods for devise resources

class User < ApplicationRecord
  devise :zxcvbnable

user = do |user| = ""
  user.password = "123456789"

user.password_score => #<OpenStruct password="123456789", guesses=6, guesses_log10=0.7781512503836435, sequence=[{"pattern"=>"dictionary", "i"=>0, "j"=>8, "token"=>"123456789", "matched_word"=>"123456789", "rank"=>5, "dictionary_name"=>"passwords", "reversed"=>false, "l33t"=>false, "base_guesses"=>5, "uppercase_variations"=>1, "l33t_variations"=>1, "guesses"=>5, "guesses_log10"=>0.6989700043360187}], calc_time=15, crack_times_seconds={"online_throttling_100_per_hour"=>216, "online_no_throttling_10_per_second"=>0.6, "offline_slow_hashing_1e4_per_second"=>0.0006, "offline_fast_hashing_1e10_per_second"=>6.0e-10}, crack_times_display={"online_throttling_100_per_hour"=>"4 minutes", "online_no_throttling_10_per_second"=>"less than a second", "offline_slow_hashing_1e4_per_second"=>"less than a second", "offline_fast_hashing_1e10_per_second"=>"less than a second"}, score=0, feedback={"warning"=>"This is a top-10 common password", "suggestions"=>["Add another word or two. Uncommon words are better."]}>
# returns a simple OpenStruct object so than you could send another messages to get more info

user.password_weak? => true/false # returns a boolean result of checking of weakness of your set password

Default parameters

A score of less than 3 is not recommended.

# config/initializers/devise.rb
Devise.setup do |config|
  config.min_password_score = 4

Error Message

The default error message:

"not strong enough. It scored %{score}. It must score at least %{min_password_score}."

You can customize this error message modifying the devise YAML file.

The crack_time_display, password_sample, score and min_password_score variables are passed through if you need them.

# config/locales/devise.en.yml
      weak_password: "not strong enough. Consider adding a number, symbols or more letters to make it stronger."


  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Add test coverage for the feature, We use rspec for this purpose
  4. Commit your changes (git commit -am 'Add some feature')
  5. Push to the branch (git push origin my-new-feature)
  6. Create new Pull Request