Problem statement
When disabling the Personal Data for a database’s password policy, the documentation states that this option disallows users from setting passwords that contain any part of their personal data, however the validating does not seem to be working as expected.
For example, a user with email “john.doe@auth0.com”, attempting to use passwords “JohnDoe” or “doe” or “Doe” were all permitted despite these strings being included in the user’s username field and the users email.
Solution
With this policy option enabled, the first part of the user’s email will be checked - firstpart@example.com
For example, if the user’s name were “John”, the user would not be allowed to include “John” in their password; John1234 would not be allowed.
However, the first part of the email will not be separated further in making this check, so for “john.doe@auth0.com”, passwords can include “johndoe”, “john”, and “doe”, but passwords including the string “john.doe” will be flagged as invalid.
Related References: