Password policy that supports passphrases / phrase passwords

Feature: Password strength calculcated based on either complexity (as today) or length, so that users can choose either to have a shorter, more complex password or a longer (less complex) phrase password.

Description: In recent years, recommendations have generally shifted from using more complex passwords to using longer passwords, see e.g. NIST Password Guidelines and Best Practices for 2020 . Auth0’s password strength controls does not really reflect this though – if you use all lower case, it will be considered a weak password no matter how long it is:

Screenshot 2022-02-02 at 10.49.30

Use-case: Many users today prefer to use phrase passwords like “correct horse battery staple”, while others find those too long to type and prefer shorter, more complex passwords like “mJ?XaA+bZTjw”. We would therefore like a password policy that supports both options.

Thank you for creating this feedback card! Let’s see who else from community will be interested in such improvement!