Firebase’s Password Reset is Insecure. Here’s How to Fix It.

<p>My previous blog described how Firebase&rsquo;s password reset system is insecure. This blog introduces a new open-source project which acts as a drop-in replacement for the insecure system.</p> <p>The problem applies to apps using email/password authentication in Firebase Auth. When a user asks to reset their password, they are by default sent to this mini-app:</p> <p><img alt="Animated demo of entering the password ‘aaaaaa’ in the insecure password reset app" src="https://miro.medium.com/v2/resize:fit:466/1*X_oKmcs9qTFHvu5VkN_aQQ.gif" style="height:358px; width:466px" /></p> <p>Firebase&rsquo;s default password reset mini-app allows really, really dumb passwords</p> <p>As you can see, there is next to no password security. Its only stipulation is that passwords must be 6 or more characters long. And so users can choose really ordinary passwords like &lsquo;aaaaaa&rsquo; or &lsquo;123456&rsquo;.</p> <p>Over time, therefore, users will migrate to less and less secure passwords with increasing use of the password reset feature.</p> <p><a href="https://betterprogramming.pub/firebases-password-reset-is-insecure-here-s-how-to-fix-it-882629e3b779">Read More</a></p>