I’ve enabled the “Disallow Personal Data” option under the password policy settings, expecting that passwords containing any part or substring of the user’s personal data (like name, username, email, etc.) would be rejected.
However, it appears the feature is not working as expected. During testing, passwords that include parts of the user’s personal data (e.g., john123, email2024, etc.)—combined with other characters—are still being accepted (like john@1995), which defeats the purpose of this restriction.
The documentation suggests this setting should prevent passwords from containing any segment of these personal values. I’ve attached a screenshot of the relevant setting for your reference.
Could you please confirm if this is a known issue or guide us on how to enforce this policy strictly so that no part of the personal data (even as substrings) is allowed in the password?
Thank you