We just received our second customer report related to an inability to log in after a successful password reset. The problem can be summarized as follows:
- User clicks our Forgot Password link.
- We ask them for their email and send them a reset link.
- They follow the reset link and are taken to the Password Reset page in Auth0.
- They enter the new password and confirm it.
- Auth0 monitoring shows that password reset was successful for the user.
- The user attempts to log in with the same password.
RESULT: Login fails. Auth0 logs show that the login failed due to a password mismatch.
In both cases the customer swears they are using the same password in the reset process as they are when they attempt to log in. We have asked them to use the clipboard and paste the new password in all the places to avoid any sort of typing error. And our support team has walked them through the process multiple times (e.g. in Incognito) to try and figure out what might be going on.
Other users can go through this flow just fine. And if I grab the password one of these users was using (right out of a signin.har they provided), I am able to use that password in a password reset operation on one of my own accounts. So I don’t think there is any “magic” to the password being chosen.
I have asked for a password.reset.har from the customer to see if there are clues there but I am not optimistic. I don’t believe that it will show that they are using different passwords (because we told them to use the clipboard).
Is there any other way that I can debug this? Is there some way for me to look at a hash saved in Auth0 and compare that to a generated hash of their password?