Feature: Allow configuration to enforce 4 of 4 requirements when setting/resetting passwords
Description: Currently all password levels require the user to meet 3 out of 4 requirements (special characters, numbers, lowercase, uppercase) when setting/resetting the password. It would be nice if the lock widget configuration could take an attribute to change this (our requirement would be 4/4).
Use-case: We work with the pharma industry which is heavily regulated and recently more focused on cyber security. They are looking to maximise security wherever possible, including strong password policies, MFA, etc. Currently the password policy setting is the main focus to improve our customers confidence in authentication and password strength.
For my organization, not having this feature is reason enough to leave Auth0. Our customers are enterprise companies that have strict security standards. As it stands, we cannot comply with their standards.
Compared to other product feedback in the gathering it still didn’t have enough voices / advocates and there are other features that are more significant to implement. As soon as anything changes I will give you an update!
Hi @konrad.sopala we just recognized this missing setting and we would need this very urgent! It seems strange to provide Attack Protection features, but not to consider these “standard” 4/4 requirements by choosing a password. Imaging someone would use a weak password with 6 characters e.g 123456, without special characters nor uppercases, … Unfortunately, we already implemented Auth0 as SSO service in more than 13 of our websites. This is actually a huge problem.
In the case you mentioned they won’t be able to login. Our product team is constantly checking our Feedback category so the best we can do to make this feature more likely to be implemented is to upvote it. Thank you!
This needs to be improved - 3/4 requirements at 8 or 10 characters is too weak. As others have already stated, there are situations where this doesn’t meet security standards.