Auth0 Home Blog Docs

Does automatic migration to Auth0 requires to loosen password strength policy for existing users with weak passwords?

We are implementing Auth0 authentication for our service that exists a few years and uses a custom database that we want to substitute with Auth0 solution. It’s not live yet, but when we finish all the work needed, we are going to migrate existing users to Auth0 database. For new users, we want to force them creating strong passwords, although existing ones might already have weaker combinations, and this I see as a possible problem. We would like to make the migration for all users without any additional interactions. By that I mean we don’t want them to reset passwords.

As an investigation part of the process, I looked everywhere and couldn’t find an answer to how users with weaker passwords are handled during the migration.
I came up with 3 options for the problem:

  1. We should handle users with weak passwords somehow in login/getUser scripts
  2. We should loosen the password strength policy.
  3. We should do nothing because as long as the username/password combination is correct and valid in the external database, the user will be migrated to Auth0.

Can somebody tell me which option is really possible and do we need to do anything with this?
I’m sure that everybody who had already done the automatic migration, should know the answer for my question.

Can I accept the comment from this question as the right answer


so we don’t have to bother with handling weak passwords?

That comment is indeed still applicable as I just repeated a test with a database with import mode and a password policy at the maximum.

An existing user will be allowed to complete the login (and be migrated to Auth0) even if they have a weaker password. However, new users or existing users that reset password would be forced to choose a password according to the policy.

1 Like

Cool! I’m happy to hear it so we don’t need to invent a wheel. Perhaps, it worth to add a small clarification regarding it in documentation for Automatic Migration, thereby nobody will stuck with the same issue in future.
Thank you very much @jmangelo