Skip to main content

Password policy

Password-based authentication flows are subject to frequent abuse through social engineering, password guessing and phishing attacks.
The Ory Network implements measures to provide high security for password-based flows. The Ory Password Policy follows standards by the National Cyber Security Centre (NCSC) and National Institute of Standards and Technology (NIST) as well as leading security researchers.

Default Password Policy

  • The password must by default at least be 8 characters long and all characters (unicode, ASCII) are allowed.
  • The Ory Network makes sure the password isn't similar to the username/email or other credentials.
    To ensure the password is different, The Ory Network enforces a minimum Levenshtein distance. It also makes sure no significant strings of the credentials are part of the password. For example if an users email is bob@example.com, bob24 would not be a valid password.
  • The Ory Network checks all passwords against a database of known leaked passwords through the HIBP API.
    Breached or leaked password detection uses anonymized data.
  • The Ory Network doesn't require or prohibit a mixture or repeated characters following to NIST guidelines.

For a more detailed explanation on why this is the default password policy for The Ory Network please visit the Security Profiles document.

Custom User Interface

When using your own user interface, we recommend the following password policies to ensure security and good user experience:

  • Allows the pasting of credentials in login etc. forms.
  • Allow making the password visible through a modal.
  • Don't show password hints to unauthenticated users.
  • Don't expire passwords.

For a more detailed explanation of the concepts of these guidelines please visit the Security Profiles document.