This week, I want to cover a common compliance requirement. If you ever went through a PCI, ISO 2007, SOC2, or similar compliance questionnaire, you found the following question in one form or another:Let’s see what we need to do to satisfy this requirement.First of all, you must have a strong Password policy.I recommend asking for a minimum of 12 characters, with at least one uppercase letter and one number.You can use Active Record validations for this. If you have a password attribute on your model, you can add a validation similar to this example:Additionally, you should validate that the password is not leaked. Luckily, there is a gem for that: https://github.com/philnash/pwned.After installing the gem, All you need to do is add the following validation to the model:This will make a request to haveibeenpwned.com, mark the password as invalid if it has been pwned, and mark it as valid in case of a network or API error. You can find information about various configurations in the readme of the gem.The final thing to prevent is credentials leaking. For this, you should store the passwords hashed with a robust hashing algorithm such as bcrypt.That’s it for now. I will publish a longer form post tomorrow on my blog about securing authentication in Rails apps. Let me find the security holes before the bad guys do.