It's not possible to comply with the NIST guidelines by using Auth0

faguero · July 23, 2021, 9:53am

Hello,

I was reading this article from your blog and, after some research on this forum and the documentation, I found it impossible to meet the actual NIST guidelines by using the Password Strength options.

From all the requirements, I’m not able to meet these ones at the same time:

• Users should be prevented from using sequential (ex. “1234”) or repeated (ex. “aaaa”) characters
• Complexity requirements should not be used, ex. requiring special characters, numbers, uppercase, etc.

In the configuration screen, I’m forced to enforce all the previous requirements if I don’t want to allow users to use no more than two identical characters in a row.

Is there a way to skip the complexity requirements? Do you have plans to make this requirements optional? (e.g. only chose the ones you want)

Thanks.

faguero · July 23, 2021, 10:02am

In the Password Strength section there is a link to the OWASP website where, if we follow the documentation, we land on this file detailing the requirements where it states:

This reality renders knowledge based authenticators, SMS and email recovery, password history, complexity, and rotation controls useless. These controls always have been less than helpful, often forcing users to come up with weak passwords every few months, but with the release of over 5 billion username and password breaches, it’s time to move on.

faguero · August 11, 2021, 1:29pm

@konrad.sopala can you help with this? Thanks!

konrad.sopala · August 11, 2021, 2:26pm

Hey there!

For now as far as my knowledge goes, it’s neither possible to skip it nor to customise it (no product plans for that)