"description": "Password is too weak" even though the password meets the requirements

We recently had a user try to create an account in our platform and Auth0 denied it. When I looked at the logs, I see the “password is too weak” message tied to it. Here’s the thing: Our password policy looks correct, I even used the password the user tried in the preview field and no warnings show up

The password they used is Testing11111!11111. When I use this in our dev tenant it works fine but in prod I get back a 400 from the API (yes, the policy in both tenants match). Does Auth0 reject certain passwords even though they technically meet the requirements? Technically, this message is not correct: “At least 8 characters in length\n* Contain at least 3 of the following 4 types of characters:\n * lower case letters (a-z)\n”.

Notice that we don’t have the No more than 2 identical characters in a row enabled, if I enable that then the preview does show me the correct error message.

This is the second time this has happened in a couple of years, not a huge issue but still annoying. Trying to figure out how we can improve user experience considering this issue.

Hi @pchois :wave:

Welcome to the Community!

That is definitely unusual and not how it should work if both tenants policies are aligned. You might be able to find out more by reviewing the “Failed Sign Up” log in your tenant Dashboard. The log itself should contain the verification rules for the signup and whether the password passed the verification for each item.

I can also take look at your logs and see if I can find anything there, just DM me the name of your two tenants and I can compare the events.

1 Like

Thank you for your response. I found the discrepancy, it is working as expected. We’re updating the requirements on our platform.