Set Minimum Password Length Firebase Email & Password Authentication

When using Firebase's Email & Password setting it seems like there are no security constraints on the password.

For example I could create the following user:

firebaseRef.createUser(
{
    email: "[email protected]",
    password: "j"
});

I'd like to at least set a minimum password length. Does firebase provide a way to do this?


A FirebaseAuthWeakPasswordException is thrown when using a weak password (less than 6 chars) to create a new account or to update an existing account's password. Use getReason() to get a message with the reason the validation failed that you can display to your users.

See https://firebase.google.com/docs/reference/android/com/google/firebase/auth/FirebaseAuthWeakPasswordException for more details.


There is currently no way to configure a minimum password length or strength for Firebase email+password Authentication.

You could build such a restriction into your app, but tech-savvy users can bypass that by calling the API. Or you could introduce a "isPasswordApproved" flag that only a server-side process can set, and then validate the password strength there. But neither of these sound very appealing.


I would argue that implementing front-end validation here should be enough (at least in a big portion of applications).

If the purpose of this validation is to protect the user himself, then there is no harm in allowing a user to hack your app and set the password to password, go to a forum and post the credentials, and jump out of a window.