Password protection and rules

Password rules

Clerk refers to the National Institute of Standards and Technology (NIST) guidelines to determine the character rules for passwords:


Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. All printing ASCII RFC 20 characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode ISO/IEC 10646 characters SHOULD be accepted as well. To make allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character prior to verification, provided that the result is at least 8 characters in length. Truncation of the secret SHALL NOT be performed. For purposes of the above length requirements, each Unicode code point SHALL be counted as a single character.

NIST Special Publication 800-63B

While these rules might seem lax independently, NIST's additional compromised password protection guidelines do more to prevent the use of unsafe passwords.

Also, please bear in mind, that passwords are not a requirement for using Clerk. Applications can be configured to use a passwordless strategy that relies on your users being sent one-time passwords instead.

Reject compromised passwords

Clerk refers to the National Institute of Standards and Technology (NIST) guidelines to determine its handling of compromised passwords:

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to: NIST Special Publication 800-63B

  • Passwords obtained from previous breach corpuses.

Specifically, Clerk contracts with HaveIBeenPwned to compare prospective passwords against its corpus of over 10 billion compromised credentials.

Rejection of compromised passwords is enabled by default for sign-up and password changes. It is disabled by default for sign-in - learn more in the Reject compromised passwords on sign-in section.

To configure this feature:

  1. Navigate to the Clerk Dashboard.
  2. In the navigation sidenav, select User & Authentication > Email, Phone, Username.
  3. In the Authentication strategies section, next to Password, select the settings cog icon.
  4. You can enable or disable Reject compromised passwords on sign-up or password change, powered by HaveIBeenPwned.
  5. You can also enable or disable Reject compromised passwords also on sign-in. Learn more about this feature in the following section.

Reject compromised passwords on sign-in

Clerk also offers the ability to check for compromised passwords on sign-in. When the user provides the correct password, if it has been found in online breach data, they will be prompted to reset their password.

This is useful for blocking password sign-ins in the case that:

  • The password has recently been added to the compromised password database
  • The user was able to set a compromised password because protection was off at the time
  • The user was migrated to Clerk along with their existing password digest


Password reset for compromised passwords uses the same flow as "forgot password". The user will need to authenticate first via an OTP code sent to their email or phone and only then they will be able to set a new — more secure — password.


  • Before enabling rejection of compromised passwords on sign-in, please ensure your app has support for the password reset flow. You can do so by using Clerk components or implementing a custom flow.
  • If the user has no way of resetting their password — such as when your application does not require an email, phone number, or other communication method for sign-up — Clerk will not reject compromised passwords on sign-in.

Password strength

Clerk uses zxcvbn-ts for estimating the strength of passwords and leverages the Open Web Application Security Project (OWASP) guidelines to determine its handling of password strength:


OWASP recommends using a password strength estimation library like zxcvbn to evaluate the strength of passwords. This can help identify weak passwords and prevent their use.

For users that set an average/weak password that complies with your organization's policies but could be stronger - Clerk also provides a gentle recommendation to use a stronger password.


OWASP recommends providing feedback to users on the strength of their password and offering suggestions for improvement. This can help users create stronger passwords and improve the overall security of the application.


What did you think of this content?