oojikoo-gist/devise_security_fix.rb

## devise_security_fix.rb
# /config/initializers/devise.rb
  config.password_length = 8..128

# user model validates
validate :password_complexity
 def password_complexity
    if password.present? and not password.match(/\A(?=.*[a-z])(?=.*[A-Z])(?=.*\d).+\z/)
        errors.add :password, "must include at least one lowercase letter, one uppercase letter, and one digit"
    end
 end

#  /config/initializers/devise.rb
config.stretches = Rails.env.test? ? 1 : 10
	# /config/initializers/devise.rb
	config.password_length = 8..128

	# user model validates
	validate :password_complexity
	def password_complexity
	if password.present? and not password.match(/\A(?=.[a-z])(?=.[A-Z])(?=.*\d).+\z/)
	errors.add :password, "must include at least one lowercase letter, one uppercase letter, and one digit"
	end
	end

	# /config/initializers/devise.rb
	config.stretches = Rails.env.test? ? 1 : 10