Last Updated: Aug 14, 2024
Overview
This article clarifies what Auth0’s maximum password length is and whether it is possible to change it.
Applies To
- Password Length
- Customize password length
Solution
Setting a custom password length maximum is not possible at the moment. For a database connection, Auth0 defines a maximum length of 72 bytes. This corresponds to a limitation of the bcrypt algorithm used for Password Hashing.
Anything beyond the 72-byte limit is ignored. Only the first 72 bytes of the given password will be considered, and the rest will be ignored.
This limit does not only comply with bycript standards but also protects against DoS attacks based on arbitrary-length passwords.
Even though it is not possible to configure a Password Length Max, it is possible to configure a Minimum Password Length by setting the password policy in the respective connection settings.
To do it, follow these steps:
- Login to Auth0 Dashboard.
- Navigate to Authentication > Database
- Click on the database.
- Navigate to the Authentication Methods tab and click the option to Configure password.
- Choose the intended password policy and set the desired Minimum Password Length.
- Click Save Changes.****