Default Password Policy
By default, Stytch uses zxcvbn for our password strength assessment, which is designed with modern password cracking techniques in mind and rewards easy-to-type but difficult to crack passwords likeEntropyIsInformation over annoying and ineffective LUDS (lower, upper, digit, symbol) requirements that still allow users to set easily crackable passwords like P@ssword123. You can play around with zxcvbn here.
Stytch integrates with HaveIBeenPwned to detect breached passwords, and by default verifies the user’s password has not been breached on both initial password creation and on subsequent authentication. If HaveIBeenPwned indicates that a user’s current password has been breached, Stytch will force the end user to reset their password in order to prevent a credential stuffing attack.
However, Stytch also offers the ability to customize your password strength assessment and password breach detection policies to fit whatever makes the most sense for your application. You can read more about the full list of configurations in the Strength Policies guide.