Password protection and rules
Password rules
Clerk refers to the National Institute of Standards and Technology (NIST) guidelines to determine the character rules for passwords:
NIST Special Publication 800-63B
While these rules might seem lax independently, NIST's additional compromised password protection guidelines do more to prevent the use of unsafe passwords.
Also, bear in mind, that passwords are not a requirement for using Clerk. Applications can be configured to use a passwordless strategy that relies on your users being sent one-time passwords instead.
Reject compromised passwords
Clerk refers to the National Institute of Standards and Technology (NIST) guidelines to determine its handling of compromised passwords:
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to: NIST Special Publication 800-63B
- Passwords obtained from previous breach corpuses.
Specifically, Clerk contracts with HaveIBeenPwned to compare prospective passwords against its corpus of over 10 billion compromised credentials.
Rejection of compromised passwords is enabled by default for sign-up and password changes. It is disabled by default for sign-in - learn more in the Reject compromised passwords on sign-in section.
To configure this feature:
- In the Clerk Dashboard, navigate to the Email, phone, username page.
- In the Authentication strategies section, next to Password, select the settings icon.
- You can enable or disable Reject compromised passwords on sign-up or password change, powered by HaveIBeenPwned.
- You can also enable or disable Reject compromised passwords also on sign-in. Learn more about this feature in the following section.
Reject compromised passwords on sign-in
Clerk also offers the ability to check for compromised passwords on sign-in. When the user provides the correct password, if it has been found in online breach data, they will be prompted to reset their password.
This is useful for blocking password sign-ins in the case that:
- The password has recently been added to the compromised password database
- The user was able to set a compromised password because protection was off at the time
- The user was migrated to Clerk along with their existing password digest
Limitations
- Before enabling rejection of compromised passwords on sign-in, ensure your app has support for the password reset flow. You can do so by using Clerk components or implementing a custom flow.
- If the user has no way of resetting their password — such as when your application does not require an email, phone number, or other communication method for sign-up — Clerk will not reject compromised passwords on sign-in.
Password strength
Clerk uses zxcvbn-ts for estimating the strength of passwords and leverages the Open Web Application Security Project (OWASP) guidelines to determine its handling of password strength:
For users that set an average/weak password that complies with your organization's policies but could be stronger - Clerk also provides a gentle recommendation to use a stronger password.
Feedback
Last updated on