Firebase’s Password Reset is Insecure. Here’s How to Fix It.
<p>My previous blog described how Firebase’s password reset system is insecure. This blog introduces a new open-source project which acts as a drop-in replacement for the insecure system.</p>
<p>The problem applies to apps using email/password authentication in Firebase Auth. When a user asks to reset their password, they are by default sent to this mini-app:</p>
<p><img alt="Animated demo of entering the password ‘aaaaaa’ in the insecure password reset app" src="https://miro.medium.com/v2/resize:fit:466/1*X_oKmcs9qTFHvu5VkN_aQQ.gif" style="height:358px; width:466px" /></p>
<p>Firebase’s default password reset mini-app allows really, really dumb passwords</p>
<p>As you can see, there is next to no password security. Its only stipulation is that passwords must be 6 or more characters long. And so users can choose really ordinary passwords like ‘aaaaaa’ or ‘123456’.</p>
<p>Over time, therefore, users will migrate to less and less secure passwords with increasing use of the password reset feature.</p>
<p><a href="https://betterprogramming.pub/firebases-password-reset-is-insecure-here-s-how-to-fix-it-882629e3b779">Read More</a></p>