Stay organized with collections
Save and categorize content based on your preferences.
Enable, disable, and use password policies
This document shows you how to use password policies to improve password
strength for new and existing users.
Overview
With password policies, you can improve account security by enforcing password
complexity requirements. Password policies support the following password
requirements:
Lowercase character required
Uppercase character required
Numeric character required
Non-alphanumeric character required
Minimum password length (ranges from 6 to 30 characters; defaults to 6)
Maximum password length (maximum length of 4096 characters)
The following characters satisfy the non-alphanumeric character requirement if
configured:
You can enable password policy enforcement in two modes:
Require: Attempts to sign up fail until the user updates to a password that
complies with your policy.
Notify: Users are allowed to sign up with a non-compliant password. Any
missing criteria needed to satisfy the policy are returned. Criteria returned
include:
MISSING_LOWERCASE_CHARACTER
MISSING_UPPERCASE_CHARACTER
MISSING_NUMERIC_CHARACTER
MISSING_NON_ALPHANUMERIC_CHARACTER
MINIMUM_PASSWORD_LENGTH
MAXIMUM_PASSWORD_LENGTH
You can send this information to the user to inform them to update their
password. The following example shows a response containing missing
password criteria:
{"kind":"identitytoolkit#VerifyPasswordResponse","localId":"CJL1i2","email":"cloudysanfrancisco@gmail.com","displayName":"","idToken":"ID_TOKEN","registered":true,"userNotifications":[{"notificationCode":"MISSING_NUMERIC_CHARACTER","notificationMessage":"Password must contain a numeric character"},{"notificationCode":"MISSING_NON_ALPHANUMERIC_CHARACTER","notificationMessage":"Password must contain a non-alphanumeric character"}]}
New users are required to choose a password that complies with your policy.
If you have active users, we recommend not enabling force upgrade on sign in
unless you intend to immediately enforce the password policy. Instead, use
notify mode, which allows users to sign in with their current passwords
and sends notifications that detail the requirements their password lacks.
When you enable enforcement, set forceUpgradeOnSignin to true to enable enforcement
in require mode. Set it to false to enable enforcment in notify mode.
To enforce a password policy at the project level, run the following:
import{getAuth}from'firebase-admin/auth';// Update project config with password policy configgetAuth().projectConfigManager().updateProjectConfig({passwordPolicyConfig:{enforcementState:'ENFORCE',forceUpgradeOnSignin:true,constraints:{requireUppercase:true,requireLowercase:true,requireNonAlphanumeric:true,requireNumeric:true,minLength:MIN_PASSWORD_LENGTH,maxLength:MAX_PASSWORD_LENGTH,},},})
Replace the following:
MIN_PASSWORD_LENGTH: the minimum required password length
MAX_PASSWORD_LENGTH: the maximum required password length
To enforce a password policy at the tenant level, run the following:
import{getAuth}from'firebase-admin/auth';// Update project config with password policy configgetAuth().tenantManager().createTenant({displayName:"admin-tenant",passwordPolicyConfig:{enforcementState:'ENFORCE',forceUpgradeOnSignin:true,constraints:{requireUppercase:true,requireLowercase:true,requireNonAlphanumeric:true,requireNumeric:true,minLength:MIN_PASSWORD_LENGTH,maxLength:MAX_PASSWORD_LENGTH,},},})
Disable enforcement
To disable password policy enforcement at the project level, run the following:
import{getAuth}from'firebase-admin/auth';// Update project config with password policy configgetAuth().projectConfigManager().updateProjectConfig({passwordPolicyConfig:{enforcementState:'OFF',},})
To disable password policy enforcement at the tenant level, run the following:
import{getAuth}from'firebase-admin/auth';// Update tenant config with password policy configgetAuth().tenantManager().updateTenant(TENANT-ID,{passwordPolicyConfig:{enforcementState:'OFF',},})
Replace TENANT-ID with the tenant ID you want to disable a
password policy for.
Enforcing on the client side
Passwords can be validated against the password policy for the project or a tenant
on the client side before submission.
import{getAuth,validatePassword}from'firebase/auth';constauth=getAuth();auth.tenantId=TENANT-ID;conststatus=awaitvalidatePassword(auth,'password').catch((error)=>{// Password could not be validated.});constpolicy=status.passwordPolicy;// Use the status and policy to show what requirements are met and which are missing.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003ePassword policies enhance security by enforcing complexity requirements, such as lowercase, uppercase, numeric, and non-alphanumeric characters, along with minimum and maximum length.\u003c/p\u003e\n"],["\u003cp\u003ePassword policy enforcement can be set to "Require," failing sign-ups until password compliance, or "Notify," allowing sign-ups with non-compliant passwords but notifying users of missing criteria.\u003c/p\u003e\n"],["\u003cp\u003ePassword policy can be enforced at the project or tenant level, with the option to immediately enforce or use a notification-based approach for existing users.\u003c/p\u003e\n"],["\u003cp\u003eEnforcement can be disabled at either the project or tenant level by setting the \u003ccode\u003eenforcementState\u003c/code\u003e to \u003ccode\u003eOFF\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003ePasswords can be validated on the client-side before submission to check if they comply with the project or tenant's password policy.\u003c/p\u003e\n"]]],[],null,["# Enable, disable, and use password policies\n==========================================\n\nThis document shows you how to use password policies to improve password\nstrength for new and existing users.\n\nOverview\n--------\n\nWith password policies, you can improve account security by enforcing password\ncomplexity requirements. Password policies support the following password\nrequirements:\n\n- Lowercase character required\n- Uppercase character required\n- Numeric character required\n- Non-alphanumeric character required\n- Minimum password length (ranges from 6 to 30 characters; defaults to 6)\n- Maximum password length (maximum length of 4096 characters)\n\nThe following characters satisfy the non-alphanumeric character requirement if\nconfigured:\n\n``^ $ * . [ ] { } ( ) ? \" ! @ # % & / \\ , \u003e \u003c ' : ; | _ ~ ```\n\nBefore you begin\n----------------\n\n- Install the [admin SDK](/identity-platform/docs/install-admin-sdk)\n\nEnforcement modes\n-----------------\n\nYou can enable password policy enforcement in two modes:\n\n- Require: Attempts to sign up fail until the user updates to a password that complies with your policy.\n- Notify: Users are allowed to sign up with a non-compliant password. Any\n missing criteria needed to satisfy the policy are returned. Criteria returned\n include:\n\n - `MISSING_LOWERCASE_CHARACTER`\n - `MISSING_UPPERCASE_CHARACTER`\n - `MISSING_NUMERIC_CHARACTER`\n - `MISSING_NON_ALPHANUMERIC_CHARACTER`\n - `MINIMUM_PASSWORD_LENGTH`\n - `MAXIMUM_PASSWORD_LENGTH`\n\n | **Note:** Password criteria parameters are not available in the client SDK. See [Enforcing on the client side](#enforcing_on_the_client_side) for how to validate passwords using the client SDK.\n\n You can send this information to the user to inform them to update their\n password. The following example shows a response containing missing\n password criteria: \n\n {\n \"kind\": \"identitytoolkit#VerifyPasswordResponse\",\n \"localId\": \"CJL1i2\",\n \"email\": \"cloudysanfrancisco@gmail.com\",\n \"displayName\": \"\",\n \"idToken\": \"ID_TOKEN\",\n \"registered\": true,\n \"userNotifications\": [\n {\n \"notificationCode\": \"MISSING_NUMERIC_CHARACTER\",\n \"notificationMessage\": \"Password must contain a numeric character\"\n },\n {\n \"notificationCode\": \"MISSING_NON_ALPHANUMERIC_CHARACTER\",\n \"notificationMessage\": \"Password must contain a non-alphanumeric character\"\n }\n ]\n }\n\nNew users are required to choose a password that complies with your policy.\nIf you have active users, we recommend not enabling force upgrade on sign in\nunless you intend to immediately enforce the password policy. Instead, use\nnotify mode, which allows users to sign in with their current passwords\nand sends notifications that detail the requirements their password lacks.\n\nWhen you enable enforcement, set `forceUpgradeOnSignin` to `true` to enable enforcement\nin require mode. Set it to `false` to enable enforcment in notify mode.\n\nEnable enforcement\n------------------\n\nTo enforce a password policy, do the following:\n\n1. If you haven't already done so, configure [email and password sign-in](/identity-platform/docs/quickstart-email-password).\n2. To enforce a password policy at the project level, run the following:\n\n import { getAuth } from 'firebase-admin/auth';\n\n // Update project config with password policy config\n getAuth().projectConfigManager().updateProjectConfig({\n passwordPolicyConfig: {\n enforcementState: 'ENFORCE',\n forceUpgradeOnSignin: true,\n constraints: {\n requireUppercase: true,\n requireLowercase: true,\n requireNonAlphanumeric: true,\n requireNumeric: true,\n minLength: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-nx\"\u003eMIN_PASSWORD_LENGTH\u003c/span\u003e\u003c/var\u003e,\n maxLength: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-nx\"\u003eMAX_PASSWORD_LENGTH\u003c/span\u003e\u003c/var\u003e,\n },\n },\n })\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eMIN_PASSWORD_LENGTH\u003c/var\u003e: the minimum required password length\n - \u003cvar translate=\"no\"\u003eMAX_PASSWORD_LENGTH\u003c/var\u003e: the maximum required password length\n3. To enforce a password policy at the tenant level, run the following:\n\n import { getAuth } from 'firebase-admin/auth';\n\n // Update project config with password policy config\n getAuth().tenantManager().createTenant({\n displayName: \"admin-tenant\",\n passwordPolicyConfig: {\n enforcementState: 'ENFORCE',\n forceUpgradeOnSignin: true,\n constraints: {\n requireUppercase: true,\n requireLowercase: true,\n requireNonAlphanumeric: true,\n requireNumeric: true,\n minLength: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-nx\"\u003eMIN_PASSWORD_LENGTH\u003c/span\u003e\u003c/var\u003e,\n maxLength: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-nx\"\u003eMAX_PASSWORD_LENGTH\u003c/span\u003e\u003c/var\u003e,\n },\n },\n })\n\nDisable enforcement\n-------------------\n\n1. To disable password policy enforcement at the project level, run the following:\n\n import { getAuth } from 'firebase-admin/auth';\n\n // Update project config with password policy config\n getAuth().projectConfigManager().updateProjectConfig({\n passwordPolicyConfig: {\n enforcementState: 'OFF',\n },\n })\n\n2. To disable password policy enforcement at the tenant level, run the following:\n\n import { getAuth } from 'firebase-admin/auth';\n\n // Update tenant config with password policy config\n getAuth().tenantManager().updateTenant(\u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-nx\"\u003eTENANT\u003c/span\u003e\u003cspan class=\"devsite-syntax-o\"\u003e-\u003c/span\u003e\u003cspan class=\"devsite-syntax-nx\"\u003eID\u003c/span\u003e\u003c/var\u003e, {\n passwordPolicyConfig: {\n enforcementState: 'OFF',\n },\n })\n\n Replace `TENANT-ID` with the tenant ID you want to disable a\n password policy for.\n\nEnforcing on the client side\n----------------------------\n\nPasswords can be validated against the password policy for the project or a tenant\non the client side before submission. \n\n import { getAuth, validatePassword } from 'firebase/auth';\n\n const auth = getAuth();\n auth.tenantId = \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-nx\"\u003eTENANT\u003c/span\u003e\u003cspan class=\"devsite-syntax-o\"\u003e-\u003c/span\u003e\u003cspan class=\"devsite-syntax-nx\"\u003eID\u003c/span\u003e\u003c/var\u003e;\n\n const status = await validatePassword(auth, 'password').catch((error) =\u003e {\n // Password could not be validated.\n });\n const policy = status.passwordPolicy;\n\n // Use the status and policy to show what requirements are met and which are missing."]]
