---
title: Enforce Stricter Password Policies
impact: HIGH
impactDescription: ensures users use strong, difficult-to-crack passwords
tags: security, password, authentication
---

## Enforce Stricter Password Policies

Require a minimum password length and complexity (uppercase, lowercase, numbers, symbols) to protect against credential guessing.

**Incorrect (weak password requirements):**

```ruby
class User < ApplicationRecord
  has_secure_password
  validates :password, length: { minimum: 4 } # Too short
end
```

**Correct (strong policy):**

```ruby
class User < ApplicationRecord
  has_secure_password
  validates :password, length: { minimum: 12 }
  # Complexity check
  validate :password_complexity

  def password_complexity
    return if password.blank? || password =~ /^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^&*-]).{12,}$/
    errors.add :password, 'Complexity requirement not met'
  end
end
```

**Tools:** Devise-security, Manual Review
---