Password policy that supports passphrases / phrase passwords

Feature: Password strength calculcated based on either complexity (as today) or length, so that users can choose either to have a shorter, more complex password or a longer (less complex) phrase password.

Description: In recent years, recommendations have generally shifted from using more complex passwords to using longer passwords, see e.g. NIST Password Guidelines and Best Practices for 2020 . Auth0’s password strength controls does not really reflect this though – if you use all lower case, it will be considered a weak password no matter how long it is:

Screenshot 2022-02-02 at 10.49.30

Use-case: Many users today prefer to use phrase passwords like “correct horse battery staple”, while others find those too long to type and prefer shorter, more complex passwords like “mJ?XaA+bZTjw”. We would therefore like a password policy that supports both options.

Thank you for creating this feedback card! Let’s see who else from community will be interested in such improvement!

Definitely need something like this - the special character + upper/lower/numeric requirements are rather old skool (can result in repeated passwords that are actually rather simple I’ll just use Password1! as I can’t remember it otherwise) and the OWASP guidelines linked to from Password Strength in Auth0 Database Connections have moved on.

There are password strength measuring libraries (that use a variety of measures) that could be used (zxcvbn, etc.).

2 Likes

Thanks for providing the context @craig.burton ! I’ll make sure to advocate for it internally myself!

1 Like

I agree @danmichaelo. Please see here and consider upvoting the request for all improvements and changes needed, including your suggestion here, to align with the current OWASP 4.0 standards.