Usage of weak password constraint

• Rule ID: ruby_rails_password_length
• Languages: ruby
• Source: password_length.yml

Description

Weak password constraints can compromise system security. Ensure that your application's password policy enforces a minimum length of 8 characters during password creation or update processes.

Remediations

• Do enforce a minimum password length of at least 8 characters. This helps in creating stronger passwords that are more resistant to brute-force attacks.

  validates :password, presence: true, length: { minimum: 8, maximum: 255 }

• Do implement this validation at the model level in your application to ensure that all passwords meet the minimum length requirement.

References

• OWASP Authentication Cheat Sheet on proper password strength controls
• Devise gem for Ruby on Rails

Associated CWE

• CWE-521: Weak Password Requirements

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_password_length

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_password_length