We recently had a user try to create an account in our platform and Auth0 denied it. When I looked at the logs, I see the “password is too weak” message tied to it. Here’s the thing: Our password policy looks correct, I even used the password the user tried in the preview field and no warnings show up
The password they used is Testing11111!11111. When I use this in our dev tenant it works fine but in prod I get back a 400 from the API (yes, the policy in both tenants match). Does Auth0 reject certain passwords even though they technically meet the requirements? Technically, this message is not correct: “At least 8 characters in length\n* Contain at least 3 of the following 4 types of characters:\n * lower case letters (a-z)\n”.
Notice that we don’t have the No more than 2 identical characters in a row enabled, if I enable that then the preview does show me the correct error message.
This is the second time this has happened in a couple of years, not a huge issue but still annoying. Trying to figure out how we can improve user experience considering this issue.