Skip to main content

Password Policy

Controlling the strength of user passwords is essential for maintaining security in your application. Contember allows you to define a custom password policy via the configure mutation. This includes settings like minimum length, character requirements, and optional pattern enforcement.

Configuring Password Requirements

You can set or update password policy rules using the configure mutation and its password field. Here's an example:

mutation {
configure(config: {
password: {
minLength: 10
requireUppercase: 1
requireLowercase: 1
requireDigit: 1
requireSpecial: 1
checkBlacklist: true
pattern: "^(?=.*[A-Z])(?=.*\\d).*$"
}
}) {
ok
error {
code
developerMessage
}
}
}

Available Fields

  • minLength – Minimum number of characters required (e.g., 8)
  • requireUppercase – Minimum uppercase letters (e.g., 1)
  • requireLowercase – Minimum lowercase letters (e.g., 1)
  • requireDigit – Minimum digits required (e.g., 1)
  • requireSpecial – Minimum special characters required (e.g., 1)
  • checkBlacklist – Whether to block commonly used or leaked passwords (true or false)
  • pattern – Optional regex pattern that passwords must match (e.g., enforce structure)

Blacklist: Preventing Common Passwords

When checkBlacklist is enabled, passwords are checked against a list of 10,000 most common passwords, sourced from the SecLists project. This helps block weak passwords like qwerty, or 123456.

Normalization and Leetspeak Decoding

To ensure better coverage, basic normalization is applied before blacklist comparison. This includes:

  • Lowercasing the password
  • Decoding common leetspeak substitutions:
    • @a
    • $s
    • 0o
    • 1l
    • 3e
    • 7t
    • !i

For example, P@ssw0rd would be flagged as password after normalization and leetspeak decoding.

Weak Password Feedback

If a password doesn't meet the policy, you'll receive a TOO_WEAK error with a list of reasons:

mutation {
changeMyPassword(currentPassword: "oldPass", newPassword: "weak") {
ok
error {
code
weakPasswordReasons
developerMessage
}
}
}

Example Weak Password Reasons

  • TOO_SHORT
  • MISSING_UPPERCASE
  • MISSING_LOWERCASE
  • MISSING_DIGIT
  • MISSING_SPECIAL
  • INVALID_PATTERN
  • BLACKLISTED

Best Practices

  • Enforce a mix of character types for better entropy.
  • Enable checkBlacklist to avoid trivial passwords.
  • Use pattern if you require a specific password structure.