Skip to content
Devise extension that checks user passwords against the PwnedPasswords dataset
Ruby HTML JavaScript CSS
Branch: master
Clone or download
michaelbanfield Add a section on testing
Adding snippet from

#18

to README
Latest commit 2990389 Jul 27, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin Add rubocop and fix violations Feb 23, 2018
lib Optionally set a different password match threshold to warn the users… Jan 9, 2019
test Optionally set a different password match threshold to warn the users… Jan 9, 2019
.gitignore Remove Gemfile.lock Mar 27, 2018
.rubocop.yml Add rubocop to Travis build script Feb 23, 2018
.travis.yml Add rubocop to Travis build script Feb 23, 2018
Gemfile
MIT-LICENSE Initial commit Oct 3, 2017
README.md
Rakefile Fix rubocop violation Feb 28, 2018
devise-pwned_password.gemspec

README.md

Devise::PwnedPassword

Devise extension that checks user passwords against the PwnedPasswords dataset https://haveibeenpwned.com/Passwords

Based on

https://github.com/HCLarsen/devise-uncommon_password

Recently the HaveIBeenPwned API has moved to a authenticated/paid model , this does not effect the PwnedPasswords API, no payment or authentication is required.

Usage

Add the :pwned_password module to your existing Devise model.

class AdminUser < ApplicationRecord
  devise :database_authenticatable, 
         :recoverable, :rememberable, :trackable, :validatable, :pwned_password
end

Users will receive the following error message if they use a password from the PwnedPasswords dataset:

Password has previously appeared in a data breach and should never be used. Please choose something harder to guess.

You can customize this error message by modifying the devise YAML file.

# config/locales/devise.en.yml
en:
  errors:
    messages:
      pwned_password: "has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it immediately!"

You can optionally warn existing users when they sign in if they are using a password from the PwnedPasswords dataset. The default message is:

Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password.

You can customize this message by modifying the devise YAML file.

# config/locales/devise.en.yml
en:
  devise:
    sessions:
      warn_pwned: "Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password everywhere you have used it."

By default passwords are rejected if they appear at all in the data set. Optionally, you can add the following snippet to config/initializers/devise.rb if you want the error message to be displayed only when the password is present a certain number of times in the data set:

# Minimum number of times a pwned password must exist in the data set in order
# to be reject.
config.min_password_matches = 10

By default the value set above is used to reject passwords and warn users. Optionally, you can add the following snippet to config/initializers/devise.rb if you want to use different thresholds for rejecting the password and warning the user (for example you may only want to reject passwords that are common but warn if the password occurs at all in the list):

# Minimum number of times a pwned password must exist in the data set in order
# to warn the user.
config.min_password_matches_warn = 1

By default responses from the PwnedPasswords API are timed out after 5 seconds to reduce potential latency problems. Optionally, you can add the following snippet to config/initializers/devise.rb to control the timeout settings:

config.pwned_password_open_timeout = 1
config.pwned_password_read_timeout = 2

Disabling in test environments

Currently this module cannot be mocked out for test environments. Because an API call is made this can slow down tests, or make test fixtures needlessly complex (dynamically generated passwords). The module can be disabled in test environments like this.

class User < ApplicationRecord
  devise :invitable ...  :validatable, :lockable
  devise :pwned_password unless Rails.env.test?
end

Installation

Add this line to your application's Gemfile:

gem 'devise-pwned_password'

And then execute:

$ bundle install

Optionally, if you also want to warn existing users when they sign in, override after_sign_in_path_for

def after_sign_in_path_for(resource)
  set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
  super
end

This should generally be added in app/controllers/application_controller.rb for a rails app. For an Active Admin application the following monkey patch is needed.

# config/initializers/active_admin_devise_sessions_controller.rb
class ActiveAdmin::Devise::SessionsController
  def after_sign_in_path_for(resource)
      set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
      super
  end
end

Considerations

A few things to consider/understand when using this gem:

Contributing

To contribute

  • Check the issue tracker and pull requests for anything similar
  • Fork the repository
  • Make your changes
  • Run bin/test to make sure the unit tests still run
  • Send a pull request

License

The gem is available as open source under the terms of the MIT License.

You can’t perform that action at this time.