password_requirements.rdoc

doc/guides/password_requirements.rdoc
Last Update: 2023-02-14 08:18:37 -0800

Customize password requirements

By default, Rodauth requires passwords to have at least 6 characters. You can modify the minimum and maximum length:

plugin :rodauth do
  enable :login, :logout, :create_account

  # Require passwords to have at least 8 characters
  password_minimum_length 8

  # Don't allow passwords to be too long, to prevent long password DoS attacks
  password_maximum_length 64
end

You can use the disallow common passwords feature to prevent the usage of common passwords (the most common 10,000 by default).

You can use additional complexity checks on passwords via the password complexity feature, though most of those complexity checks are no longer considered modern security best practices and are likely to decrease overall security.

If you want complete control over whether passwords meet requirements, you can use the password_meets_requirements? configuration method.

plugin :rodauth do
  enable :login, :logout, :create_account

  password_meets_requirements? do |password|
    super(password) && password_complex_enough?(password)
  end

  auth_class_eval do
    # If password doesn't pass custom validation, add field error with error
    # reason, and return false.
    def password_complex_enough?(password)
      return true if password.match?(/\d/) && password.match?(/[^a-zA-Z\d]/)
      set_password_requirement_error_message(:password_simple, "requires one number and one special character")
      false
    end
  end
end