fix(ui): Redirect users with long imported passwords to reset password

[dmoerner]

Description

User passwords imported with insecure hashers are automatically migrated to bcrypt by the Clerk backend. However, there is a maximum length to a bcrypt password because hashing is computationally intensive. Users with too long imported passwords would encounter an error on login. The backend error handling has been improved for this case; capture the backend error and direct the user to the reset password flow.

Feedback on the exact text would be welcome; I felt that a title like "Password too long" was weird and used the more generic "Password must be reset", but I'm happy to adjust this.

Fixes USER-4417

Before:

After:

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• New Features
  • Added a flow that prompts imported users with overly long passwords to reset their password.
  • Users see a "Password must be reset" message and are guided to reset via email or SMS.
  • Sign-in UI and error messaging updated to surface the long-password recovery prompt.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: 6b11fe6

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
@clerk/ui	Minor
@clerk/chrome-extension	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jan 20, 2026 6:20pm

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds handling for the password_too_long_needs_reset error across the authentication UI. It introduces an isPasswordTooLongError helper, expands localization with a signIn.passwordTooLong.title and corresponding unstable error message, adds a passwordTooLong AlternativeMethodsMode, updates sign-in components to route to a reset flow for that error, and includes tests covering email and phone reset flows.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: redirecting users with long imported passwords to password reset.
Linked Issues check	✅ Passed	All objectives from USER-4417 are met: the PR detects the password_too_long_needs_reset error, updates UI components to handle it, and directs users to reset-password flow like compromised passwords.
Out of Scope Changes check	✅ Passed	All changes are scoped to handling the password_too_long_needs_reset error and implementing the reset-password flow; no unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7617

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7617

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7617

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7617

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7617

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7617

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7617

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7617

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7617

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7617

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7617

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7617

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7617

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7617

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7617

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7617

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7617

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7617

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7617

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7617

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7617

commit: 6b11fe6

[dmoerner]

Switching to draft: This PR currently still requires email code reverification (or similar) in most flows as a condition of resetting the password. This should not actually be necessary for passwords of this length. Investigate directly taking the user to the reset password page.

Also, note: Will need to regenerate localizations pnpm --filter @clerk/localizations generate