Skip to main content
Docs

Password protection and rules

Password rules

Clerk refers to the National Institute of Standards and Technology (NIST) guidelines to determine the character rules for passwords:

Note

Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. All printing ASCII RFC 20 characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode ISO/IEC 10646 characters SHOULD be accepted as well. To make allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character prior to verification, provided that the result is at least 8 characters in length. Truncation of the secret SHALL NOT be performed. For purposes of the above length requirements, each Unicode code point SHALL be counted as a single character.

NIST Special Publication 800-63B

While these rules might seem lax independently, NIST's additional compromised password protection guidelines do more to prevent the use of unsafe passwords.

Also, bear in mind, that passwords are not a requirement for using Clerk. Applications can be configured to use a passwordless strategy that relies on your users being sent one-time passwords instead.

Reject compromised passwords

Clerk refers to the National Institute of Standards and Technology (NIST) guidelines to determine its handling of compromised passwords:

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. NIST Special Publication 800-63B

Specifically, Clerk contracts with HaveIBeenPwned to compare prospective passwords against its corpus of over 10 billion compromised credentials.

When the user provides the correct password, if it has been found in online breach data, they will be prompted to reset their password. This is useful for blocking passwords in the case that:

  • The password has recently been added to the compromised password database
  • The user was able to set a compromised password because protection was off at the time
  • The user was migrated to Clerk along with their existing password digest

Note

Password reset for compromised passwords uses the same flow as "forgot password". The user will need to authenticate first via an OTP code sent to their email or phone and only then they will be able to set a new — more secure — password.

To configure this feature:

  1. In the Clerk Dashboard, navigate to the User & authentication page.
  2. Select the Password tab and on the right side, select Update password requirements. You can enable or disable Reject compromised passwords.

Password strength

Clerk uses zxcvbn-ts for estimating the strength of passwords and leverages the Open Web Application Security Project (OWASP) guidelines to determine its handling of password strength:

Note

OWASP recommends using a password strength estimation library like zxcvbn to evaluate the strength of passwords. This can help identify weak passwords and prevent their use.

For users that set an average/weak password that complies with your organization's policies but could be stronger - Clerk also provides a gentle recommendation to use a stronger password.

Note

OWASP recommends providing feedback to users on the strength of their password and offering suggestions for improvement. This can help users create stronger passwords and improve the overall security of the application.

Feedback

What did you think of this content?
Edit this page on GitHub

Last updated on