Password Dictionary protection not working?

Hey! I’ve activated the Password Dictionary protection in my tenant. Now, I looked at the list it pulls and it pulls this list to check against: SecLists/10-million-password-list-top-10000.txt at master · danielmiessler/SecLists · GitHub

These are all lower case passwords, which is fine, because the expectation is that auth0 will check the password typed in by the user by forcing all letters to lower case and then checking them against the list. I don’t think this is being done at auth0 though, because I was able to make an account with the password “Password1” and registration didn’t complain. “password1” is in the list it is supposed to check.

So what’s going on here?

Hi @basickarl.

Thanks for reaching out to the Auth0 Community!

I understand you have questions about the Password Dictionary feature on your Database connection.

After testing this myself, I did not find the same observations. Instead, when I try to create a user with a common password after enabling the Password Dictionary feature, I am presented with a password is too common error.

Given that, I can confirm that everything is working as expected.

In this case, you may need to check that you have pressed the Save Changes button on your database connection settings after enabling the Password Dictionary Feature. Then, I recommend using the Try Connection button for testing.

Please let me know how this goes.

Thanks.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.