Personal Data Password Policy Still Permitting Parts of Email

Problem statement

When disabling the Personal Data for a database’s password policy, the documentation states that this option disallows users from setting passwords that contain any part of their personal data, however the validating does not seem to be working as expected.

For example, a user with email “john.doe@auth0.com”, attempting to use passwords “JohnDoe” or “doe” or “Doe” were all permitted despite these strings being included in the user’s username field and the users email.

Solution

With this policy option enabled, the first part of the user’s email will be checked - firstpart@example.com

For example, if the user’s name were “John”, the user would not be allowed to include “John” in their password; John1234 would not be allowed.

However, the first part of the email will not be separated further in making this check, so for “john.doe@auth0.com”, passwords can include “johndoe”, “john”, and “doe”, but passwords including the string “john.doe” will be flagged as invalid.

Related References: