Set Minimum Password Length Firebase Email & Password Authentication

Question

When using Firebase\'s Email & Password setting it seems like there are no security constraints on the password.

For example I could create the following user:

Answer 1

I would argue that implementing front-end validation here should be enough (at least in a big portion of applications).

If the purpose of this validation is to protect the user himself, then there is no harm in allowing a user to hack your app and set the password to password, go to a forum and post the credentials, and jump out of a window.

Answer 2

A FirebaseAuthWeakPasswordException is thrown when using a weak password (less than 6 chars) to create a new account or to update an existing account's password. Use getReason() to get a message with the reason the validation failed that you can display to your users.

See https://firebase.google.com/docs/reference/android/com/google/firebase/auth/FirebaseAuthWeakPasswordException for more details.

Answer 3

The problem is with the Reset Password form that Firebase sends. It would be nice to use it and not have to build this out as well.

Answer 4

There is currently no way to configure a minimum password length or strength for Firebase email+password Authentication.

You could build such a restriction into your app, but tech-savvy users can bypass that by calling the API. Or you could introduce a "isPasswordApproved" flag that only a server-side process can set, and then validate the password strength there. But neither of these sound very appealing.