Feature: Allow Fuzzy Matching of the list of “10k common passwords” for Password Dictionary protection
Description: Currently the Password Dictionary feature, if enabled, prevents passwords from being used if it is an exact match of a password in the “10k common passwords” dictionary. The Password Dictionary would be more useful if I could enable fuzzy matching enforcement so that a password that is similar to an entry in the list would also be rejected.
See related question: https://community.auth0.com/t/password-dictionary-protection-not-working-as-expected-for-password-reset/93347/3
Use-case: We have built a web based SPA for a SaaS platform. We use Auth0 for our authorization and identity management. Despite having Password Dictionary protection enabled, we got hit with a reported security vulnerability because a user was able to make their password “Password1!”. This password contains “password1” and “password” which are entries in the list of “10k common passwords” This password complies with our complexity setting level of “Excellent” but would be quite easy to guess.