Auth0 Home Blog Docs

password policies

password
password-strength
password-policy

#1

https://auth0.com/docs/connections/database/password-strength
Am I right that a “fair” password is always a “good” one as well?!

A string containing at least 8 characters including a lower-case letter, an upper-case letter, and a number always includes at least 3 of the necessary 4 types of characters for a “good” password, doesn’t it?

Or should it say
Fair: at least 8 characters including a lower-case letter, an upper-case letter, or a number.


#2

Yes, that’s a good observation. I suspect that the fair level got an upgrade at some point in time to better reflect updated recommendations and that made it go on par with good in terms of a fair password now also meets the minimum requirements for a good one. However, the advice for a good one still has some additional notes about special characters which may indeed increase the strength due to a bigger set of possible characters. I would personally read that more as advice hints about how to choose a password rather than a non-overlapping classification.