Password Policy
Password-based authentication flows are subject to frequent abuse through social
engineering, password guessing and phishing attacks.
Ory Cloud implements measures to provide high security for password-based flows.
The Ory Password Policy follows standards by the National Cyber Security
Centre
(NCSC
)
and National Institute of Standards and Technology
(NIST
) as well as
leading
security researchers.
Default Password Policy​
- The password must by default at least be 8 characters long and all characters (unicode, ASCII) are allowed.
- Ory Cloud makes sure the password isn't similar to the username/email or other
credentials.
To ensure the password is different, Ory Cloud enforces a minimum Levenshtein distance. It also makes sure no significant strings of the credentials are part of the password. For example if an users email isbob@example.com
,bob24
would not be a valid password. - Ory Cloud checks all passwords against a database of known leaked passwords
through the
HIBP
API.
Breached or leaked password detection uses anonymized data. - Ory Cloud doesn't require or prohibit a mixture or repeated characters
following to
NIST
guidelines.
For a more detailed explanation on why this is the default password policy for Ory Cloud please visit the Security Profiles document.
Custom User Interface​
When using your own user interface, we recommend the following password policies to ensure security and good user experience:
- Allows the pasting of credentials in login etc. forms.
- Allow making the password visible through a modal.
- Don't show password hints to unauthenticated users.
- Don't expire passwords.
For a more detailed explanation of the concepts of these guidelines please visit the Security Profiles document.