I’ve enabled the “Disallow Personal Data” option under the password policy settings, expecting that passwords containing any part or substring of the user’s personal data (like name
, username
, email
, etc.) would be rejected.
However, it appears the feature is not working as expected. During testing, passwords that include parts of the user’s personal data (e.g., john123
, email2024
, etc.)—combined with other characters—are still being accepted (like john@1995), which defeats the purpose of this restriction.
The documentation suggests this setting should prevent passwords from containing any segment of these personal values. I’ve attached a screenshot of the relevant setting for your reference.
Could you please confirm if this is a known issue or guide us on how to enforce this policy strictly so that no part of the personal data (even as substrings) is allowed in the password?
Thank you