Settings: Auth Providers: Passwords

Provider state

If inactive, disables all password-based authentication and related functions (such as resetting passwords).

Minimum length

The minimum length of all new passwords.

Minimum complexity

There are numerous ways to encourage users to use strong passwords over weak ones. One of the best is requiring a certain level of password complexity.

AuthRocket uses the zxcvbn algorithm which is excellent at encouraging all types of better passwords, while allowing users the freedom to choose exactly how they arrive at that better password. Adding numbers or symbols does result in stronger passwords, but so does just adding more lowercase letters. zxcvbn handles all of these scenarios quite well and is what we recommend.

While AuthRocket uses rate-limiting to prevent brute forcing passwords, if a password was somehow subjected to a brute force attack, here is roughly how long each strength setting would take to crack:

Setting Strength (per password)
High Crackable in years
Medium Crackable in days
Low Crackable in hours
Insecure Crackable in minutes

Additionally, if you are using LoginRocket, a “Password is <strength>” type message will automatically be displayed when minimum complexity is enabled.

Passwords must include

In lieu of the minimum complexity option above, you can choose to use an older-style “required character sets” approach, including requiring at least 1 lowercase letter, 1 uppercase letter, 1 number, and/or 1 special character.

Unless you have preexisting corporate policy that requires using character sets, we actually discourage this and suggest minimum complexity instead as it nearly always results in stronger, yet more memorable passwords (read: users are less likely to write them on a sticky note).

Questions? Find a Typo? Get in touch.