My previous blog described how Firebase’s password reset system is insecure. This blog introduces a new open-source project which acts as a drop-in replacement for the insecure system.
The problem applies to apps using email/password authentication in Firebase Auth. When a user asks to reset their password, they are by default sent to this mini-app:
Firebase’s default password reset mini-app allows really, really dumb passwords
As you can see, there is next to no password security. Its only stipulation is that passwords must be 6 or more characters long. And so users can choose really ordinary passwords like ‘aaaaaa’ or ‘123456’.
Over time, therefore, users will migrate to less and less secure passwords with increasing use of the password reset feature.