# Password protection and rules ## Password rules Clerk refers to the National Institute of Standards and Technology (NIST) guidelines to determine the character rules for passwords: > Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. All printing ASCII [RFC 20](https://datatracker.ietf.org/doc/html/rfc20) characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode [ISO/IEC 10646](https://en.wikipedia.org/wiki/Universal_Coded_Character_Set) characters SHOULD be accepted as well. To make allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character prior to verification, provided that the result is at least 8 characters in length. Truncation of the secret SHALL NOT be performed. For purposes of the above length requirements, each Unicode code point SHALL be counted as a single character. [NIST Special Publication 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5) While these rules might seem lax independently, NIST's additional compromised password protection guidelines do more to prevent the use of unsafe passwords. Also, bear in mind, that passwords are not a requirement for using Clerk. Applications can be configured to use a passwordless strategy that relies on your users being sent one-time passwords instead. ## Reject compromised passwords Clerk refers to the National Institute of Standards and Technology (NIST) guidelines to determine its handling of compromised passwords: When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. [NIST Special Publication 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5) Specifically, Clerk contracts with [HaveIBeenPwned](https://haveibeenpwned.com/) to compare prospective passwords against its corpus of over 10 billion compromised credentials. When the user provides the correct password, if it has been found in online breach data, they will be prompted to reset their password. This is useful for blocking passwords in the case that: - The password has recently been added to the compromised password database - The user was able to set a compromised password because protection was off at the time - The user was migrated to Clerk along with their existing password digest > Password reset for compromised passwords uses the same flow as "forgot password". The user will need to authenticate first via an OTP code sent to their email or phone and only then they will be able to set a new — more secure — password. To configure this feature: 1. In the Clerk Dashboard, navigate to the [**User & authentication**](https://dashboard.clerk.com/~/user-authentication/user-and-authentication) page. 2. Select the **Password** tab and on the right side, select **Update password requirements**. You can enable or disable **Reject compromised passwords**. ## Password strength Clerk uses [zxcvbn-ts](https://zxcvbn-ts.github.io/zxcvbn/) for estimating the strength of passwords and leverages the [Open Web Application Security Project (OWASP) guidelines](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html) to determine its handling of password strength: > OWASP recommends using a password strength estimation library like zxcvbn to evaluate the strength of passwords. This can help identify weak passwords and prevent their use. For users that set an average/weak password that complies with your organization's policies but could be stronger - Clerk also provides a gentle recommendation to use a stronger password. > OWASP recommends providing feedback to users on the strength of their password and offering suggestions for improvement. This can help users create stronger passwords and improve the overall security of the application. ## Manually set a password as compromised > If your instance is older than December 18, 2025, you will need to update your instance to the **Reset password session task** update. Clerk provides a way to manually set a password as compromised. This is useful for blocking passwords in the case that: - The password has recently been added to the compromised password database. - The user was able to set a compromised password because protection was off at the time. To manually set a user's password as compromised: 1. In the Clerk Dashboard, navigate to [**Users**](https://dashboard.clerk.com/~/users) page and select the user you want to mark as compromised. You'll be redirected to the user's settings. 2. In the **Password** section, if a password is set, select the three dots icon and select **Set password as compromised**. A modal will appear asking you to confirm the action. Complete the instructions. > Setting a user's password as compromised will prevent the user from signing in until they reset their password. If you are implementing custom authentication flows, you will need to handle the compromised password flow by yourself. See the [dedicated custom flow guide](https://clerk.com/docs/guides/development/custom-flows/authentication/forgot-password.md) for more information. --- ## Sitemap [Overview of all docs pages](https://clerk.com/docs/llms.txt)