Password policy
Password-based authentication flows are subject to frequent abuse through social engineering, password guessing and phishing
attacks.
Ory Cloud implements measures to provide high security for password-based flows. The Ory Password Policy follows standards by the
National Cyber Security Centre (NCSC
) and National
Institute of Standards and Technology (NIST
) as well as
leading security researchers.
Default Password Policy
- The password must by default at least be 8 characters long and all characters (unicode, ASCII) are allowed.
- Ory Cloud makes sure the password isn't similar to the username/email or other credentials.
To ensure the password is different, Ory Cloud enforces a minimum Levenshtein distance. It also makes sure no significant strings of the credentials are part of the password. For example if an users email isbob@example.com
,bob24
would not be a valid password. - Ory Cloud checks all passwords against a database of known leaked passwords through the
HIBP
API.
Breached or leaked password detection uses anonymized data. - Ory Cloud doesn't require or prohibit a mixture or repeated characters following to
NIST
guidelines.
For a more detailed explanation on why this is the default password policy for Ory Cloud please visit the Security Profiles document.
Custom User Interface
When using your own user interface, we recommend the following password policies to ensure security and good user experience:
- Allows the pasting of credentials in login etc. forms.
- Allow making the password visible through a modal.
- Don't show password hints to unauthenticated users.
- Don't expire passwords.
For a more detailed explanation of the concepts of these guidelines please visit the Security Profiles document.