Password authentication
There are several authentication settings you can modify in the config/eazybi.toml
file. See the example file config/eazybi.toml.sample
for commented examples of settings.
Authentication
devise.timeout_in
specifies the time you want to timeout the user session without activity (by default 10 hours). After this time the user will be asked for credentials again.
[devise]
timeout_in = "10 hours"
devise.invite_for
specifies the period the generated invitation token (that is sent in the invitation email) is valid (by default 2 weeks).
[devise]
invite_for = "2 weeks"
devise.remember_for
sets the time the user will be remembered without asking for credentials again if the "remember me" checkbox is checked during the login (by default 2 weeks).
[devise]
remember_for = "2 weeks"
devise.maximum_attempts
sets the number of authentication tries before locking a user if lock_strategy is failed_attempts (by default 5).
[devise]
maximum_attempts = 5
devise.reset_password_within
specifies the time interval you can reset your password with a reset password key received in the password reset email (by default 6 hours).
[devise]
reset_password_within = "6 hours"
devise.paranoid
can be used to enable "paranoid mode" to avoid enumerating users. If enabled then a potential attacker will not be able to identify from the error messages if the user is registered in the system. Note, however, there is a limitation in the use of this parameter if the system allows registration. Check here for more.
[devise]
paranoid = true
devise.confirmation_required
specifies if an email address confirmation email should be sent after a sign up (by default is false
).
[devise]
confirmation_required = true
devise.allow_unconfirmed_access_for
specifies for how long time user can log in without confirmed email (by default this is not enforced).
[devise]
allow_unconfirmed_access_for = "1 day"
devise.reconfirmation_required
specifies if a confirmation email should be sent (to the new email address) after an email is changed (by default is true
).
[devise]
reconfirmation_required = true
devise.send_email_changed_notification
specifies if a notification email should be sent (to the old email address) after an email is changed (by default is true
).
[devise]
send_email_changed_notification = true
Password strength
By default, passwords should be at least 8 characters long and should not be more than 50 characters long. Specify a different range if needed.
[devise]
password_length = "8..50"
Specify the minimum required password entropy (longer passwords or passwords with more unique characters have a higher entropy). Passwords with higher entropy are harder to guess using brute-force password cracking. The default value is 10. Try different complexity passwords to check if you need to increase or decrease this setting.
[password_strength]
min_entropy = 10
Specify if the most common password dictionary should be used to prevent easy-to-guess passwords (by default is enabled).
[password_strength]
use_dictionary = true