Password Policy Not Enforcing Personal Data Restrictions Properly

I’ve enabled the “Disallow Personal Data” option under the password policy settings, expecting that passwords containing any part or substring of the user’s personal data (like name, username, email, etc.) would be rejected.

However, it appears the feature is not working as expected. During testing, passwords that include parts of the user’s personal data (e.g., john123, email2024, etc.)—combined with other characters—are still being accepted (like john@1995), which defeats the purpose of this restriction.

The documentation suggests this setting should prevent passwords from containing any segment of these personal values. I’ve attached a screenshot of the relevant setting for your reference.

Could you please confirm if this is a known issue or guide us on how to enforce this policy strictly so that no part of the personal data (even as substrings) is allowed in the password?

Thank you

Hello @sandip. Welcome to the Auth0 Community!
I’m going to move this question to our Get Help category so one of our community engineers can assist you. For additional help in the future, search for answers first, and if you need further assistance, please post in our Get Help category, as our community engineers track incoming inquiries.

Hi @sandip

Welcome to the Auth0 Community!

I am sorry about the delayed response to your inquiry!

Depending on what the user’s email address is, some parts might still be allowed even if personal data is being disallowed.

For a better explanation, I would recommend you to review the following community posts:

• Disallow Personal Data in Password
• Personal Data Password Policy Still Permitting Parts of Email

If you have any other questions, let me know!

Kind Regards,
Nik