This error occurs when you attempt to create or update a user password in Supabase Auth that doesn't meet the configured password strength requirements. Your password may be too short, lack required character types, or be a known compromised password.
Supabase Auth enforces password security policies to protect user accounts. When you call `signUp()` or `updateUser()` with a new password, Supabase validates it against configured requirements. The "weak_password" error is returned when the password fails one or more of these validation checks. The specific requirements can vary based on your Supabase project's authentication settings. Common validation rules include minimum length (default 6 characters, recommended 8+), required character types (uppercase, lowercase, numbers, special characters), and checks against known compromised passwords using the "Have I Been Pwned" database.
Go to your Supabase dashboard and check the password policy settings:
1. Navigate to Authentication → Providers → Email
2. Scroll to Password Security section
3. Note the minimum length requirement
4. Check if character type requirements are enabled (uppercase, lowercase, numbers, symbols)
5. Check if 'Leaked password protection' is enabled
These settings determine what makes a password "weak" in your project. The default minimum is 6 characters, but Supabase recommends at least 8.
Design a password that meets your project's requirements:
✓ At least 8 characters (or the minimum set in your project)
✓ Mix of uppercase and lowercase letters (e.g., MyPassword)
✓ Include at least one number (e.g., MyPassword123)
✓ Include a special character (if required by project settings)
✓ Avoid common patterns like "password123" or "admin123"
✓ Not previously compromised in data breaches
Good example: Tr0pical-Sunset#2024
Avoid: password123, admin, 12345678
Implement client-side password validation to catch weak passwords before sending to Supabase:
const { data, error } = await supabase.auth.signUp({
email: '[email protected]',
password: 'Tr0pical-Sunset#2024', // Strong password
});
if (error && error.code === 'weak_password') {
console.error('Password too weak:', error.message);
// Show user specific requirements from your Supabase settings
// Password must be at least 8 characters
// Password must include uppercase, lowercase, numbers, and symbols
}If you see 'pwned' in the error reasons, your password appears in known data breaches:
if (error?.status === 422) {
const weakReasons = error.message;
if (weakReasons.includes('pwned')) {
console.log('Password has been leaked in a previous breach');
console.log('Choose a completely different password');
}
}Use [haveibeenpwned.com](https://haveibeenpwned.com) to check your password (without submitting it). The password is checked against their database, not shared with them.
If you're in a development environment and strict rules are slowing testing, you can relax requirements:
For cloud-hosted Supabase:
1. Go to Authentication → Providers → Email
2. Under Password Security, reduce minimum length or disable character requirements
3. Consider disabling 'Leaked password protection' for development-only projects
Important: Only do this in development. Always enable strict rules in production.
// Or in your development environment, use a simpler password
const devPassword = 'devpass123'; // 8+ chars, mixed case, numbersShow users password requirements as they type using a library like zxcvbn:
import zxcvbn from 'zxcvbn';
function validatePassword(password) {
const result = zxcvbn(password);
const meetsLength = password.length >= 8;
const hasMixed = /[a-z]/.test(password) && /[A-Z]/.test(password);
const hasNumber = /[0-9]/.test(password);
const hasSpecial = /[!@#$%^&*()_+-=[]{};':"\|<>?,./]/.test(password);
return {
score: result.score, // 0-4
meetsLength,
hasMixed,
hasNumber,
hasSpecial,
};
}
// Show user which requirements are met as they type
const validation = validatePassword(userInput);
console.log('Password strength:', validation.score);
console.log('Length OK:', validation.meetsLength);
console.log('Mixed case OK:', validation.hasMixed);Supabase uses the "Have I Been Pwned" API by default on Pro plans and above to prevent passwords that have appeared in public data breaches. This is a crucial security feature but can be disabled if needed in your project settings.
For self-hosted Supabase instances, you can customize password strength requirements by setting environment variables like GOTRUE_PASSWORD_MIN_LENGTH (default 6). Be cautious when weakening these rules—strong passwords are essential for account security.
The password is checked client-side against the Pwned Passwords API without revealing the full password. Only the first 5 characters of the SHA-1 hash are sent, maintaining privacy while preventing compromised passwords.
If your users consistently fail password validation, consider providing real-time feedback with a library like zxcvbn that shows password strength before submission, improving user experience while maintaining security.
email_conflict_identity_not_deletable: Cannot delete identity because of email conflict
How to fix "Cannot delete identity because of email conflict" in Supabase
mfa_challenge_expired: MFA challenge has expired
How to fix "mfa_challenge_expired: MFA challenge has expired" in Supabase
conflict: Database conflict, usually related to concurrent requests
How to fix "database conflict usually related to concurrent requests" in Supabase
phone_exists: Phone number already exists
How to fix "phone_exists" in Supabase
StorageApiError: resource_already_exists
StorageApiError: Resource already exists