We’ve recently changed our password policy to be more secure. Is there a way that we can force current users to reset their password if it doesn’t meet the new policy?
Hi @hawk, and welcome to the Auth0 Community!
Your use case should be easily achievable with a Post-login Action that adds a check for password strength using the zxcvbn library. Something like this should work, but let me know if it doesn’t:
exports.onExecutePostLogin = async (event, api) => {
if (event.connection.strategy !== 'auth0') {
return;
}
const password = event.request.body.password;
if (!password) {
return;
}
const zxcvbn = require('zxcvbn');
const strength = zxcvbn(password);
const requiredScore = 3; //set to the score you need
if (strength.score < requiredScore) {
return api.access.deny(
'password_reset_required'
);
}
};
Don’t forget to add zxcvbn to the dependencies in the Dependencies tab of the Actions menu.
I hope this helps you!
Sincerely,
Teodor.