Merge branch 'custom_password_length' into 'master'

Document how to customize password length limits

2 files changed, 16 insertions, 0 deletions

diff --git a/config/initializers/devise_password_length.rb.example b/config/initializers/devise_password_length.rb.example
new file mode 100644
index 00000000000..97305825e07
--- /dev/null
+++ b/config/initializers/devise_password_length.rb.example
@@ -0,0 +1,6 @@
+Devise.setup do |config|
+  # The following line changes the password length limits for new users. In the
+  # example below the minimum length is 12 characters, and the maximum length
+  # is 128 characters.
+  config.password_length = 12..128
+end
diff --git a/doc/security/password_length_limits.md b/doc/security/password_length_limits.md
new file mode 100644
index 00000000000..c8d66e9636c
--- /dev/null
+++ b/doc/security/password_length_limits.md
@@ -0,0 +1,10 @@
+# Custom password length limits
+
+If you want to enforce longer user passwords you can create an extra Devise initializer with the steps below.
+If you do not use the `devise_password_length.rb` initializer the password length is set to a minimum of 8 characters in `config/initializers/devise.rb`.
+
+```bash
+cd /home/git/gitlab
+sudo -u git -H cp config/initializers/devise_password_length.rb.example config/initializers/devise_password_length.rb
+sudo -u git -H editor config/initializers/devise_password_length.rb   # inspect and edit the new password length limits
+```