Return an Error for Passwords Exceeding Size Limits

akhilesh.krishnan · August 9, 2024, 4:18am

Feature: Return an Error for Passwords Exceeding Size Limits

Description: According to the Auth-0 documentation and this community post, passwords exceeding 72 bytes in length are silently truncated. Instead of truncating, it would be more effective to return an error when a password exceeds this length. This approach aligns with the recommendations outlined in the OWASP Authentication Cheat Sheet.

Use-case: For compliance reasons, we need to enforce an upper limit on password length. Since Auth0 does not currently support configuring this limit, we expect that an error should be returned when a password exceeds 72 bytes, rather than silently truncating the password.

Topic		Replies	Views
For passwords longer than 72 characters, Auth0 is ignoring all characters after the 72nd Help password	4	3098	March 25, 2020
Setting the Password Strength to 12 Characters in length Help	2	3421	December 17, 2018
Align Auth0 Password Capabilities with Current Recommendations from NIST and OWASP Feedback	0	206	May 15, 2024
Support OWASP ASVS v4.0.3 items 2.1.2 and 2.1.3 Feedback	0	383	March 12, 2024
User Password Limit Knowledge Articles password , authentication , security , password-policy , dos	1	2110	July 21, 2022

Return an Error for Passwords Exceeding Size Limits

Related Topics