Feature: Password strength calculcated based on either complexity (as today) or length, so that users can choose either to have a shorter, more complex password or a longer (less complex) phrase password.
Description: In recent years, recommendations have generally shifted from using more complex passwords to using longer passwords, see e.g. NIST Password Guidelines and Best Practices for 2020 . Auth0’s password strength controls does not really reflect this though – if you use all lower case, it will be considered a weak password no matter how long it is:
Use-case: Many users today prefer to use phrase passwords like “correct horse battery staple”, while others find those too long to type and prefer shorter, more complex passwords like “mJ?XaA+bZTjw”. We would therefore like a password policy that supports both options.