Problem statement
For the Password Dictionary feature, this list shows 10k of the most used passwords https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10k-most-common.txt
, and the list contains ‘password’ and ‘test’. However, Auth0 does not check if it’s included in the user’s password.
For example, if I put my password as ‘test@123445’, the password includes the word ‘test’ from the list, but it will pass the validation.
Cause
Currently, the Password Dictionary feature prevents passwords from being used if it is an exact match of a password in the “10k common passwords” dictionary. The Password Dictionary does not use fuzzy matching enforcement to reject a password if it is similar to an entry in the list.
Solution
If you would like to see this functionality in a future release of Auth0, we would encourage you to vote for this feature by giving a thumbs up on this community post: