Auth0 Database Password Strength policy insufficent

The current password strength policy is insufficient and does not function the way an admin expects when configuring.

There are 5 password strengths: None, Low, Fair, Good and Excellent

None: Non-empty password required

Low: Must have the minimum number of characters

Fair: Must have the minimum number of characters AND contain Lower case (a-z), upper case (A-Z) and numbers (0-9)

Good: Must have the minimum number of characters AND contain any three of the following:

  • Special characters (!@#$%^&*)
  • Lower case (a-z), upper case (A-Z) and numbers (0-9)

Excellent: Must have the minimum number of characters AND have no more than 2 identical characters in a row AND contain any three of the following:

  • Special characters (!@#$%^&*)
  • Lower case (a-z), upper case (A-Z) and numbers (0-9)

The “Good” policy is basically useless and does not perform what an admin expects when they look at this. Rather than requiring special characters IN ADDITION to Lower case (a-z), upper case (A-Z) and numbers (0-9) requirements you can essentially use a password without a special character that meets the Fair policy and also use it for the Good policy without any issues.

I would like this password strength policy to be updated to either:

  1. Good Policy enforces the special characters

OR

  1. Fair policy requires 3 of 4 [Lower case (a-z), upper case (A-Z), numbers (0-9), special characters (!@#$%^&)] AND the Good Policy requires ALL OF [Lower case (a-z), upper case (A-Z), numbers (0-9), special characters (!@#$%^&)]