Disallow Personal Data in Password

I’ve enabled disallow personal data in the password policy but it is not working.

Hi Lisandro - I’ve tested this myself and found that it worked for me.

The Disallow Personal Data option prevents the use of the following personal data in a password (as described in Password Options in Auth0 Database Connections):

  • name
  • username
  • nickname
  • user_metadata.name
  • user_metadata.first
  • user_metadata.last
  • The first part of the user’s email will also be checked - firstpart @example.com

By default, a user may only have their name,. email, and username in their profile. I’ve tested it with this user:

Name auth0 test2
Email auth0-test2@***** (verified)
Username atest2

I was not able to change the password to auth0-test20! because it contained the first part of the email. But I was allowed to change it to auth0test2! and auth0x!38ira because auth0test2 and auth0 don’t match the name, email, or username. To make this safer and stop users from using parts of their name in their password you need to make sure that first name and last name are stored separately in their metadata. I haven’t tested if it successfully matches metadata.

If you (or your users) are able to change their password containing metadata then please raise a ticket via support.auth0.com. Make sure you’re logged in as a tenant admin for your production tenant papaya@eu as otherwise, you won’t see the option “Open Ticket”:

1 Like

Thanks for helping on this one Michael!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.