Skip to Content
Clerk logo

Clerk Docs

Ctrl + K
Go to clerkstage.dev

Password protection and rules

Password rules

Clerk refers to the National Institute of Standards and Technology (NIST) guidelines to determine the character rules for passwords:

Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. All printing ASCII RFC 20(opens in a new tab) characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode ISO/IEC 10646(opens in a new tab) characters SHOULD be accepted as well. To make allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character prior to verification, provided that the result is at least 8 characters in length. Truncation of the secret SHALL NOT be performed. For purposes of the above length requirements, each Unicode code point SHALL be counted as a single character.

NIST Special Publication 800-63B(opens in a new tab)

While these rules might seem lax independently, NIST's additional leaked password protection guidelines do more to prevent the use of unsafe passwords.

Also, please bear in mind, that passwords are not a requirement for using Clerk. Applications can be configured to use a passwordless strategy that relies on your users being sent one-time passwords instead.

Reject compromised passwords

Clerk refers to the National Institute of Standards and Technology (NIST) guidelines to determine its handling of compromised passwords:

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to: NIST Special Publication 800-63B(opens in a new tab)

  • Passwords obtained from previous breach corpuses.

Specifically, Clerk contracts with have i been pwned(opens in a new tab) to compare prospective passwords against its corpus of over 10 billion leaked credentials.

Rejection of compromised passwords is enabled by default on all Clerk apps, for sign-up and password changes.

Settings for this feature can be found in the Clerk Dashboard under User & Authentication > Email, Phone, Username(opens in a new tab), in the Authentication strategies > Password section.

Settings for compromised password handling

Reject compromised passwords on sign-in

As can be seen in the above screenshot, Clerk also offers the capability to check for compromised passwords upon sign-in.

This is useful for blocking password sign-ins in the case that:

  • the password has recently been added to the compromised password database
  • the user was able to set a compromised password because protection was off at the time
  • the user was migrated to Clerk along with their existing password digest

If enabled, when the user provides their correct password that nevertheless has been found in online breach data, they will not be signed in, but instead prompted to reset their password.

Password reset for compromised passwords utilizes the same flow as for "forgot password", i.e. the user will need to authenticate first via an OTP code on their email or phone and only then they will be able to set a new, more secure, password.

Disclaimers:

  • Prior to enabling rejection of compromised passwords on sign-in, please ensure your app has support for the password reset flow, either by utilizing Clerk components or via your own custom implementation
  • If the user has no way of resetting their password, e.g. if the application configuration allows for a user to be without a communication method, then Clerk will not enforce this restriction for the impacted user

Password strength

Clerk uses zxcvbn-ts(opens in a new tab) for estimating the strength of passwords and leverages the Open Web Application Security Project (OWASP) guidelines(opens in a new tab) to determine its handling of password strength:

OWASP recommends using a password strength estimation library like zxcvbn to evaluate the strength of passwords. This can help identify weak passwords and prevent their use.

For users that set an average/weak password that complies with your organization's policies but could be stronger - Clerk also provides a gentle recommendation to use a stronger password.

OWASP recommends providing feedback to users on the strength of their password and offering suggestions for improvement. This can help users create stronger passwords and improve the overall security of the application.

What did you think of this content?

Clerk © 2024