Permalink
Browse files

New password default minimum length is now 8

  • Loading branch information...
1 parent 1aca139 commit 2950434ed344610770ad83dd77c9f45b9f01713c Rodrigo Flores committed Jul 6, 2012
Showing with 5 additions and 5 deletions.
  1. +1 −1 lib/devise.rb
  2. +1 −1 lib/generators/templates/devise.rb
  3. +3 −3 test/models/validatable_test.rb
View
@@ -90,7 +90,7 @@ module Strategies
# Range validation for password length
mattr_accessor :password_length
- @@password_length = 8..128
+ @@password_length = 6..128
# The time the user will be remembered without asking for credentials again.
mattr_accessor :remember_for
@@ -114,7 +114,7 @@
# ==> Configuration for :validatable
# Range for password length. Default is 8..128.
- # config.password_length = 8..128
+ config.password_length = 8..128
# Email regex used to validate email formats. It simply asserts that
# an one (and only one) @ exists in the given string. This is mainly
@@ -76,10 +76,10 @@ class ValidatableTest < ActiveSupport::TestCase
assert_equal 'doesn\'t match confirmation', user.errors[:password].join
end
- test 'should require a password with minimum of 8 characters' do
- user = new_user(:password => '1234567', :password_confirmation => '1234567')
+ test 'should require a password with minimum of 6 characters' do
+ user = new_user(:password => '12345', :password_confirmation => '12345')
assert user.invalid?
- assert_equal 'is too short (minimum is 8 characters)', user.errors[:password].join
+ assert_equal 'is too short (minimum is 6 characters)', user.errors[:password].join
end
test 'should require a password with maximum of 128 characters long' do

11 comments on commit 2950434

Collaborator

carlosantoniodasilva replied Jul 6, 2012

Ahm, are we keeping 6 as lib's default, but 8 in the generated template? Any reasoning?

Owner

josevalim replied Jul 6, 2012

Collaborator

rafaelfranca replied Jul 6, 2012

Yes, I agree that is better to change the generator default.

Collaborator

carlosantoniodasilva replied Jul 6, 2012

My opinion? Change it, put in the changelog and we may blog about the update later on, when releasing a new version - it's a one line change for any developer who wants to keep at 6. A change from 6 to 8 chars is probably not enough to break existing functionality, since current passwords will still work (they should), and the user will be asked to enter an 8 digit one only when making a change on the password (ie registrations/edit or password reset).

This will avoid us to have to sanity check why in the world the generator is so different from the lib one. We've had some headaches with this in SimpleForm. Anyway, the important bit is that new apps will default to 8, so consider this just my 2 cents to ignore ;)

Owner

josevalim replied Jul 6, 2012

Unfortunately people don't read the CHANGELOG. :( Given everyone's feedback, I think the best solution is: make the default to be nil and provide an initializer that checks if config.password_length is set. If not, show the user a warning message, saying we are now defaulting to 8..120, but if he wants to keep the previous value, he should set it in his initializer.

This way, everyone is kind of forced to upgrade do 8..120, but users will at least receive a warning.

Contributor

rodrigoflores replied Jul 6, 2012

I agree that we should do a smooth change, although it will not break production environments (a already set password with a length of 6, still works, right?) . So, I propose we do this:

  • New applications come with this new definition (but it can be changed);
  • We add a deprecation warning telling that conf will change. If you want to continue using 6 passwords as minimum, set this on the configuration. So, in the minor version after the next minor version (I'm talking about the Devise 2.3 or 3.0) we set this as default.

Wdyt ?

Owner

josevalim replied Jul 6, 2012

@rodrigoflores we suggested pretty much the same thing, except that my proposal is: 1) we change and tell the users. Yours is: 1) tell the users it will change and 2) then change. For me both are fine.

Collaborator

carlosantoniodasilva replied Jul 6, 2012

Unfortunately people don't read the CHANGELOG. :(

That's their fault :trollface:

I'm kidding bro :D. That still makes things different everywhere, but it seems like a possible good solution. Will we someday be able to put the default back into lib?

Owner

josevalim replied Jul 6, 2012

Yeah, both solutions will allow us to set the default back into lib (this should be able in Simple Form too).

Collaborator

carlosantoniodasilva replied Jul 6, 2012

Owner

josevalim replied Jul 24, 2012

Please sign in to comment.