When using Firebase's Email & Password setting it seems like there are no security constraints on the password.
For example I could create the following user:
firebaseRef.createUser(
{
email: "[email protected]",
password: "j"
});
I'd like to at least set a minimum password length. Does firebase provide a way to do this?
A FirebaseAuthWeakPasswordException is thrown when using a weak password (less than 6 chars) to create a new account or to update an existing account's password. Use getReason() to get a message with the reason the validation failed that you can display to your users.
See https://firebase.google.com/docs/reference/android/com/google/firebase/auth/FirebaseAuthWeakPasswordException for more details.
There is currently no way to configure a minimum password length or strength for Firebase email+password Authentication.
You could build such a restriction into your app, but tech-savvy users can bypass that by calling the API. Or you could introduce a "isPasswordApproved" flag that only a server-side process can set, and then validate the password strength there. But neither of these sound very appealing.
I would argue that implementing front-end validation here should be enough (at least in a big portion of applications).
If the purpose of this validation is to protect the user himself, then there is no harm in allowing a user to hack your app and set the password to password, go to a forum and post the credentials, and jump out of a window.
