Passwords Overview

Stytch's password product allows you to offer a familiar authentication option to your end users, with built-in protection against common password pitfalls like credential stuffing attacks and insecure account deduplication.

Cross-Organization vs Organization-Scoped Passwords

Stytch offers two different approaches to passwords within our B2B product, depending on how passwords are treated across Organizations:

Cross-Organization: an email has a single password associated with it, and the end user can use that password to log into any of their Organizations that allow passwords as an authentication method
Organization-Scoped: a password is scoped to a specific MemberID, and can only be used to log into that specific Organization

If you have a single, centralized login page for all Organizations we recommend you use Cross-Organization passwords by enabling Allow passwords to be used between Organizations in the Passwords configuration page of the Dashboard. If you have tenanted login pages for each Organization, and want to enforce strict data isolation between your Organizations we recommed you use Organization-Scoped passwords and disable this setting.

This is a project-level setting, and cannot be changed if you have active passwords. Make sure you have selected the password type you want in the Dashboard prior to integrating.

Default Password Policy

By default, Stytch uses zxcvbn for our password strength assessment, which is designed with modern password cracking techniques in mind and rewards easy-to-type but difficult to crack passwords like EntropyIsInformation over annoying and ineffective LUDS (lower, upper, digit, symbol) requirements that still allow users to set easily crackable passwords like P@ssword123. You can play around with zxcvbn here.

Stytch integrates with HaveIBeenPwned to detect breached passwords, and by default verifies the user's password has not been breached on both initial password creation and on subsequent authentication. If HaveIBeenPwned indicates that a user's current password has been breached, Stytch will force the end user to reset their password in order to prevent a credential stuffing attack.

However, Stytch also offers the ability to customize your password strength assessment and password breach detection policies to fit whatever makes the most sense for your application. You can read more about the full list of configurations in the Strength Policies guide.