Firebase rejects passwords that do not meet its security requirements. By default, passwords must be at least 6 characters long, but you can enforce stronger policies through the Firebase console.
The "auth/weak-password" error occurs when a user attempts to create an account or change their password with a password that does not meet Firebase Authentication's security standards. Firebase enforces a minimum password length of 6 characters by default. This is a client-side validation error thrown by the Firebase SDK to prevent users from creating accounts with insufficiently strong passwords. Firebase also allows you to configure stricter password policies through the Firebase Console, such as requiring longer passwords, special characters, or other complexity rules.
By default, Firebase Authentication requires passwords to be at least 6 characters long. If your users are entering shorter passwords, that will trigger the weak-password error.
// Example: Password validation check
const password = "12345"; // Only 5 characters - will be rejected
// This will throw error code: auth/weak-passwordBefore sending the password to Firebase, validate it on the client side. This provides immediate feedback to users and prevents unnecessary API calls.
// Web - JavaScript
function validatePassword(password) {
const minLength = 6;
if (password.length < minLength) {
return {
isValid: false,
message: `Password must be at least ${minLength} characters`,
};
}
return { isValid: true };
}
// When creating user
const auth = firebase.auth();
const email = "[email protected]";
const password = "MyPassword123";
const validation = validatePassword(password);
if (!validation.isValid) {
console.error(validation.message);
return;
}
auth
.createUserWithEmailAndPassword(email, password)
.then((userCredential) => {
console.log("User created:", userCredential.user.uid);
})
.catch((error) => {
if (error.code === "auth/weak-password") {
console.error("Password is too weak");
}
});Implement proper error handling to catch and respond to weak password errors gracefully.
// Web - JavaScript
firebase
.auth()
.createUserWithEmailAndPassword(email, password)
.catch((error) => {
if (error.code === "auth/weak-password") {
displayUserMessage("Password must be at least 6 characters");
} else if (error.code === "auth/email-already-in-use") {
displayUserMessage("Email is already registered");
}
});
// Flutter - Dart
try {
await FirebaseAuth.instance.createUserWithEmailAndPassword(
email: email,
password: password,
);
} on FirebaseAuthException catch (e) {
if (e.code == "weak-password") {
print("The password is too weak: ${e.message}");
}
}
// Android - Java
mAuth
.createUserWithEmailAndPassword(email, password)
.addOnCompleteListener(
task -> {
if (!task.isSuccessful()) {
if (task.getException() instanceof FirebaseAuthWeakPasswordException) {
String reason = ((FirebaseAuthWeakPasswordException) task.getException()).getReason();
Toast.makeText(context, "Weak password: " + reason, Toast.LENGTH_SHORT).show();
}
}
});For better security, configure a custom password policy in the Firebase Console:
1. Go to Firebase Console
2. Select your project
3. Navigate to Authentication > Settings
4. Click on the "Password policy" tab
5. Configure:
- Minimum password length: Set to 8-12 characters (recommended: 12+)
- Special characters requirement: Optional but recommended
- Enforcement mode: Turn ON to enforce policy
This will reject passwords that don't meet your custom requirements. However, remember that you still need client-side validation for better UX.
Update your sign-up form UI to clearly communicate password requirements:
<form id="signup-form">
<label for="email">Email:</label>
<input type="email" id="email" required />
<label for="password">Password:</label>
<input type="password" id="password" required />
<div id="password-requirements">
<p>Password must:</p>
<ul>
<li id="req-length">
<span id="check-length">✗</span> Be at least 6 characters
</li>
<li id="req-uppercase">
<span id="check-uppercase">✗</span> Include an uppercase letter
</li>
<li id="req-lowercase">
<span id="check-lowercase">✗</span> Include a lowercase letter
</li>
<li id="req-number">
<span id="check-number">✗</span> Include a number
</li>
</ul>
</div>
<button type="submit">Sign Up</button>
</form>
<script>
const passwordInput = document.getElementById("password");
passwordInput.addEventListener("input", (e) => {
const pwd = e.target.value;
document.getElementById("check-length").textContent =
pwd.length >= 6 ? "✓" : "✗";
document.getElementById("check-uppercase").textContent =
/[A-Z]/.test(pwd) ? "✓" : "✗";
document.getElementById("check-lowercase").textContent =
/[a-z]/.test(pwd) ? "✓" : "✗";
document.getElementById("check-number").textContent =
/[0-9]/.test(pwd) ? "✓" : "✗";
});
</script>Note on Firebase password complexity: By default, Firebase only enforces a minimum length of 6 characters. The "weak-password" error might seem lenient compared to other auth systems, but Firebase allows you to configure stricter rules through the Password Policy feature (available in Firebase Console under Authentication > Settings > Password policy tab).
Why Firebase has minimal defaults: Firebase aims to balance security with user experience. Very strict password requirements can frustrate users and increase sign-up abandonment. It's recommended to increase the minimum length to at least 8-12 characters and require a mix of character types for production applications.
Custom password validation: Firebase does not currently allow you to define custom password rules directly in the SDK. You must implement client-side validation and optionally configure rules in the Firebase Console. If you need very specific custom rules, validate on your backend before calling Firebase auth methods.
Password policy enforcement: When you enable password policy enforcement in the Firebase Console, it applies to all new accounts and password changes. Existing accounts are not affected unless users explicitly change their passwords.
Callable Functions: INTERNAL - Unhandled exception
How to fix "Callable Functions: INTERNAL - Unhandled exception" in Firebase
messaging/UNSPECIFIED_ERROR: No additional information available
How to fix "messaging/UNSPECIFIED_ERROR: No additional information available" in Firebase Cloud Messaging
auth/invalid-hash-algorithm: Hash algorithm doesn't match supported options
How to fix "auth/invalid-hash-algorithm: Hash algorithm doesn't match supported options" in Firebase
App Check: reCAPTCHA Score Too Low
App Check reCAPTCHA Score Too Low
storage/invalid-url: Invalid URL format for Cloud Storage reference
How to fix invalid URL format in Firebase Cloud Storage