Devise: Disable password confirmation during sign-up

Question

I am using Devise for Rails. In the default registration process, Devise requires users to type the password twice for validation and authentication. How can I disable it?

What do you do if a person makes a typo when they type the password in the one box? There are reasons for having a confirmation on password forms, and you should be sure about removing it — Gareth, May 08 '10 at 19:25
yup. i would like to remove it. to simplified the registration process. any suggestion on how to disable it? — Victor Lam, May 08 '10 at 19:38
@Gareth Kind of a late reply, but you can use the email password reset if users type it wrong. A lot of usability people are starting to prefer this approach, as it's simpler for the user. — LandonSchropp, Dec 08 '11 at 11:35
http://stackoverflow.com/questions/11641901/remove-password-confirmation-devise — XY L, Jul 08 '16 at 13:56

mistertim · Accepted Answer · 2022-03-03T15:32:01.713

To disable password confirmation you can simply remove the password_confirmation field from the registration form. This disables the need to confirm the password entirely!

Generate devise views if you haven't: rails g devise:views
Remove the password_confirmation section in app\views\devise\registrations\new.html.erb

The reason why this works lies in lib/devise/models/validatable.rb in the Devise source:

module Devise
  module Models
    module Validatable
 

      def self.included(base)

        base.class_eval do
          #....SNIP...
          validates_confirmation_of :password, :if => :password_required?
        end
      end
      
      #...SNIP...
      
      def password_required?
        !persisted? || !password.nil? || !password_confirmation.nil?
      end
    end
  end
end

Note that the validation is only triggered if password_required? returns true, and password_required? will return false if the password_confirmation field is nil.

Because where the password_confirmation field is present in the form, it will always be included in the parameters hash , as an empty string if it is left blank, the validation is triggered. However, if you remove the input from the form, the password_confirmation in the params will be nil, and therefore the validation will not be triggered.

Thanks @misertim. You are correct. Actually I forget this question. You are right. The correct solution is remove the password_confirmation field. Devise will just ignore the validation. — Victor Lam, Nov 28 '12 at 15:22
@mistertim That was a smart answer. I was prepared to fight with Devise for hours, but it turned out pretty easy. Thanks. — rohitmishra, Dec 19 '12 at 13:07
Not really getting this... If the password field exists, isn't the validation done even if the password_confirmation field doesn't? — mrstif, Feb 03 '15 at 17:09

score 36 · Answer 2 · answered Dec 24 '10 at 22:44

36

It seems if you just remove the attr_accessible requirement from the model it works just fine without it.

On a side note, I agree with this practice, in the rare case there was a typo, the user can simply use the password recovery to recover their password.

answered Dec 24 '10 at 22:44

Jeff Dickey

5,036
4
28
39

11

This should be the right answer. Assuming you are using user.rb as your devise model simply remove attribute_accessible for password_confirmation and remove the field in the view. – Gary Haran May 18 '11 at 20:32
Even more. On some apps registration go asynchronous, so sending the same data is unneded, some validations (that are not critical, this one isn't) can be done in view. – Hauleth Apr 06 '13 at 19:02

score 11 · Answer 3 · answered May 09 '10 at 05:29

11

I am not familiar with Devise but if you have access to the model in the controller before save/validation could you do something like the following

model.password_confirmation = model.password
model.save

answered May 09 '10 at 05:29

Will

8,102
5
30
32

score 3 · Answer 4 · answered Mar 04 '14 at 02:27

For the sake of Rails 4 users who find this question, simply delete :password_confirmation from the permitted params, which you declare in ApplicationController.rb.

before_filter :configure_permitted_parameters, if: :devise_controller?

protected

def configure_permitted_parameters
  devise_parameter_sanitizer.for(:sign_up) do |u|
    u.permit(:username, :email, :password)
  end
  devise_parameter_sanitizer.for(:account_update) do |u|
    u.permit(:username, :email, :password)
  end
end

score 2 · Answer 5 · answered Oct 07 '14 at 13:32

2

Simplest solution:

Remove :validatable from

devise :database_authenticatable, :registerable,
 :recoverable, :rememberable, :trackable,
 :confirmable, :timeoutable, :validatable

;)

answered Oct 07 '14 at 13:32

Nesha Zoric

6,218
42
34

The problem with this answer is that it also removes the validation on the email field and the complexity of the password. This answer should also provide a validation for the email and password complexity – ZedTuX Nov 21 '20 at 12:07

score 2 · Answer 6 · answered Jul 16 '15 at 10:20

2

You just need to remove the password_confirmation field from your form.

answered Jul 16 '15 at 10:20

Robin Garg

203
2
13

score 1 · Answer 7 · answered Jul 18 '11 at 23:06

1

See wiki

def update_with_password(params={})
  params.delete(:current_password)
  self.update_without_password(params)
end

https://github.com/plataformatec/devise/wiki/How-To:-Allow-users-to-edit-their-account-without-providing-a-password

answered Jul 18 '11 at 23:06

Peter Ehrlich

6,969
4
49
65

score 0 · Answer 8 · answered Sep 30 '14 at 21:46

Devise's default validations (lib/devise/models/validatable.rb):

validates_confirmation_of :password, :if => :password_required?

and method:

def password_required?
  !persisted? || !password.nil? || !password_confirmation.nil?
end

We need override Devise default password validation. Put the following code at the end in order for it not to be overridden by any of Devise's own settings.

validates_confirmation_of :password, if: :revalid
def revalid
  false
end

And your model would look like this:

class User < ActiveRecord::Base      
  devise :database_authenticatable, :registerable,
     :recoverable, :rememberable, :trackable,
     :confirmable, :timeoutable, :validatable

  validates_confirmation_of :password, if: :revalid

  def revalid
    false
  end
end

Then remove the password_confirmation field from the registration form.

score 0 · Answer 9 · edited Jul 15 '16 at 10:30

I think this is the simple way to disable password confirmation: https://github.com/plataformatec/devise/wiki/Disable-password-confirmation-during-registration

Some users wants to make the registration process shorter and easier. One of fields that can be removed is the Password confirmation.

Easiest solution is: you can simply remove the password_confirmation field from the registration form located at devise/registrations/new.html.erb (new.html.haml if you are using HAML), which disables the need to confirm the password entirely!

The reason for this lies in lib/devise/models/validatable.rb in the Devise source:

Note that the validation is only triggered if password_required? returns true, and password_required? will return false if the password_confirmation field is nil.

Because where the password_confirmation field is present in the form, it will always be included in the parameters hash , as an empty string if it is left blank, the validation is triggered. However, if you remove the input from the form, the password_confirmation in the params will be nil, and therefore the validation will not be triggered.

Devise: Disable password confirmation during sign-up

9 Answers9

Linked