Feature: Support OWASP ASVS v4.0.3 items 2.1.2 and 2.1.3
Description: As it stands it seems I can set a password of over 128 characters so is not compliant with 2.1.2. My observation is that only the first 72 characters are significant due to the hashing algorithm so in that sense truncation is is performed which is not compliant with 2.1.3.
The documentation does not appear to address this issue specifically. There have been issues raised about this before in 2020 and those issues have been closed and a resolution since that does not seem to have emerged.
For passwords longer than 72 characters, Auth0 is ignoring all characters after the 72nd* _gaMTUwMjUyMDUuMTY5OTg3ODEwMw… _ga_QKMSDV5369MTcwNjc4NzY5Ny44OS4xLjE3MDY3ODk4NTQuNDMuMC4w
Password length rules 19mrero*_gaMTUwMjUyMDUuMTY5OTg3ODEwMw… _ga_QKMSDV5369*MTcwNjc4NzY5Ny44OS4xLjE3MDY3ODk4MzcuNjAuMC4w
Use-case: All Username-Password-Authentication users.