When using Firebase's Email & Password setting it seems like there are no security constraints on the password.
For example I could create the following user:
firebaseRef.createUser(
{
email: "[email protected]",
password: "j"
});
I'd like to at least set a minimum password length. Does firebase provide a way to do this?
Update (2024): for Firebase projects that have upgraded to Identity Platform, you can now set the minimal password length (and other requirements). Check out the documentation on password policies.
Old answer below, just kept for reference.
The below answer is outdated, check above for the latest 👆
There is currently no way to configure a minimum password length or strength for Firebase email+password Authentication.
You could build such a restriction into your app, but tech-savvy users can bypass that by calling the API. Or you could introduce a "isPasswordApproved" flag that only a server-side process can set, and then validate the password strength there. But neither of these sound very appealing.
A FirebaseAuthWeakPasswordException is thrown when using a weak password (less than 6 chars) to create a new account or to update an existing account's password. Use getReason() to get a message with the reason the validation failed that you can display to your users.
See https://firebase.google.com/docs/reference/android/com/google/firebase/auth/FirebaseAuthWeakPasswordException for more details.
I would argue that implementing front-end validation here should be enough (at least in a big portion of applications).
If the purpose of this validation is to protect the user himself, then there is no harm in allowing a user to hack your app and set the password to password, go to a forum and post the credentials, and jump out of a window.
The problem is with the Reset Password form that Firebase sends. It would be nice to use it and not have to build this out as well.
