Validating password strength

15 Mar 2025
Are you eager to elevate your security skills and safeguard your applications against cyber threats? I created a Rails Security course is designed specifically for developers like you who aim to build robust, secure Rails applications!
Buy my course: Security for Rails Developers.

A pull request on Rails and Devise triggered me to write this blogpost.

Password strength is more complicated than length and the enforcement of various characters, because passwords like “Admin123!” can meet certain requirements, like containing different cases, 3 digits and a special character, but can be still cracked in no time and would fall for a dictionary attack even quicker.There are plenty of resources online explaining this, so I will not repeat them.

Luckily, there is an open-source password strenght estimator that works via pattern matching and does a pretty good job at flagging easy to crack passwords: zxcvbn. There is a Ruby implementation too of the tool and that makes it easy to validate the strenght of a password.

You just need to add the gem to your app with bundle:

bundle add zxcvbn-ruby

Then you can add a validator to your user model as follows:

require 'zxcvbn'
class User < ApplicationRecord

  validate :password_strength

  def password_strength
    if password.present?
      result = Zxcvbn::Tester.new.test(password)
      if result.feedback.suggestions.any?
        errors.add :password, result.feedback.suggestions.join(' ' )
      end
    end
  end
end

I suggest to additionally validate the passwords with the pwned gem, to make sure they were not in a data breach. Doing so is also pretty simple.

You need to add the gem to the Gemfile:

bundle add pwned

And you can use the custom Rails validator from the gem:

class User < ApplicationRecord
  # ...
  validates :password, not_pwned: true
end

By adding these two validations, you will enforce way stronger passwords then if you just require the presence of certain characters.

Or follow me on Twitter

Related posts