When using Firebase's Email & Password setting it seems like there are no security constraints on the password.
For example I could create the following user:
firebaseRef.createUser(
{
email: "[email protected]",
password: "j"
});
I'd like to at least set a minimum password length. Does firebase provide a way to do this?
Update (2024): for Firebase projects that have upgraded to Identity Platform, you can now set the minimal password length (and other requirements). Check out the documentation on password policies.
Old answer below, just kept for reference.
The below answer is outdated, check above for the latest 👆
There is currently no way to configure a minimum password length or strength for Firebase email+password Authentication.
You could build such a restriction into your app, but tech-savvy users can bypass that by calling the API. Or you could introduce a "isPasswordApproved" flag that only a server-side process can set, and then validate the password strength there. But neither of these sound very appealing.