Customize password max length

Problem Statement

What is the password maximum length? And how do I set the password maximum length?

Symptoms

  • Setting password max length is not possible at the moment.
  • There currently is a feature request asking for support for setting the password maximum length.

Solution

At the moment, there is the only option to configure the minimum password length by setting the password policy in the respective connection by navigating to Dashboard → Authentication → Database → select the connection and clicking on ‘Password Policy’ tab.

Here is a document that goes into further details on configuring the Password Strength in Auth0 Database Connections.
Screen Shot 2022-07-07 at 11.04.36 am

However, setting password max length is not possible at the moment.
For a database connection, the maximum length is 72 bytes. This size is due to a limitation of bcrypt and the maximum size is mentioned here.

Currently, any character beyond the 72-byte limit is ignored and will only use the first 72 bytes of the password and trim the rest.

Therefore, if two users have different passwords and the first 72 characters of their passwords are the same, we will treat them as the same password.

Note that it is not the same as “enforcing” a limit, but it protects against DoS attacks based on arbitrary-length passwords, which is the intent of setting a max length.