Last Update: 2020-03-26 13:10:17 -0700

Documentation for Password Complexity Feature

The password complexity feature implements more sophisticated password complexity checks. It is not recommended to use this feature unless you have a policy that requires it, as users that would not choose a good password in the absense of password complexity requirements are unlikely to choose a good password if you have password complexity requirements.


  • Contains characters in multiple character groups, by default at least 3 of uppercase letters, lowercase letters, numbers, and everything else, unless the password is over 11 characters.

  • Does not contain any invalid patterns, by default patterns like qwerty, azerty, asdf, zxcv, or number sequences such as 123.

  • Does not contain a certain number of repeating characters, by default 3.

  • Is not a dictionary word, after stripping off numbers from the prefix and suffix and replacing some common numbers/symbols often substituted for letters, catching things like P@$$w0rd1.

Auth Value Methods


An array of regular expressions representing different character groups.


A Array/Hash/Set containing dictionary words, which cannot match the password.


A file containing dictionary words, which will not be allowed. By default, /usr/share/dict/words if present. Set to false to not use a password dictionary. Note that this is only used during initialization, and cannot refer to request-specific state, unlike most other settings.


The error message fragment to show if the password is derived from a word in a dictionary.


A regexp where any match is considered an invalid password. For multiple sequences, use Regexp.union.


The error message fragment to show if the password matches the invalid pattern.


The number of characters above which to skip the checks for character groups.


The maximum number of repeating characters allowed.


The minimum number of character groups the password has to contain if it is less than password_max_length_for_groups_check characters.


The error message fragment to show if the password does not contain characters from enough character groups.


The error message fragment to show if the password contains too many repeating characters.