Document toolboxDocument toolbox

Password authentication

Owned by Miks Valers
Mar 24, 2021
2 min read

There are several authentication settings you can modify in the config/eazybi.toml file. See the example file  config/eazybi.toml.sample for commented examples of settings.

Authentication

devise.timeout_in  specifies the time you want to timeout the user session without activity (by default 10 hours). After this time the user will be asked for credentials again.

[devise]
timeout_in = "10 hours"


devise.invite_for specifies the period the generated invitation token (that is sent in the invitation email) is valid (by default 2 weeks).

[devise]
invite_for = "2 weeks"


devise.remember_for sets the time the user will be remembered without asking for credentials again if the "remember me" checkbox is checked during the login (by default 2 weeks).

[devise]
remember_for = "2 weeks"


devise.maximum_attempts sets the number of authentication tries before locking a user if lock_strategy is failed_attempts (by default 5).

[devise]
maximum_attempts = 5


devise.reset_password_within specifies the time interval you can reset your password with a reset password key received in the password reset email (by default 6 hours).

[devise]
reset_password_within = "6 hours"


devise.paranoid can be used to enable "paranoid mode" to avoid enumerating users. If enabled then a potential attacker will not be able to identify from the error messages if the user is registered in the system. Note, however, there is a limitation in the use of this parameter if the system allows registration. Check here for more.

[devise]
paranoid = true


devise.confirmation_required specifies if an email address confirmation email should be sent after a sign up (by default is false).

[devise]
confirmation_required = true


devise.allow_unconfirmed_access_for specifies for how long time user can log in without confirmed email (by default this is not enforced).

[devise]
allow_unconfirmed_access_for = "1 day"


devise.reconfirmation_required specifies if a confirmation email should be sent (to the new email address) after an email is changed (by default is true).

[devise]
reconfirmation_required = true


devise.send_email_changed_notification specifies if a notification email should be sent (to the old email address) after an email is changed (by default is true).

[devise]
send_email_changed_notification = true

Password strength

By default, passwords should be at least 8 characters long and should not be more than 50 characters long. Specify a different range if needed.

[devise]
password_length = "8..50"


Specify the minimum required password entropy (longer passwords or passwords with more unique characters have a higher entropy). Passwords with higher entropy are harder to guess using brute-force password cracking. The default value is 10. Try different complexity passwords to check if you need to increase or decrease this setting.

[password_strength]
min_entropy = 10


Specify if the most common password dictionary should be used to prevent easy-to-guess passwords (by default is enabled).

[password_strength]
use_dictionary = true