Skip to main content

Available password policies

When using the Auth0 data store or a custom database connection, you can enforce the following password policies.
PolicyDescription
Password historyUsers cannot reuse their most recent passwords. Auth0 retains up to 24 passwords of history while this policy is enabled.
Password dictionaryUsers cannot use passwords in the default dictionary list of 10,000 common passwords or any additional passwords you prohibit (based on case-insensitive comparison).
Block personal dataUsers cannot use passwords containing the values of name, username, nickname, user_metadata.name, user_metadata.first, user_metadata.last, or the first part of the their email (before the @).
Password strengthUsers cannot use passwords that do not meet the chosen complexity requirements. There are 5 levels to choose from matching the OWASP password recommendations.
You can configure these options in the Auth0 Dashboard or by using the Management API.

Enforce password policies with the Auth0 Dashboard

Password policies for social and enterprise connections are enforced by each provider, not by Auth0’s database connection password policies.
To enable or disable password policies from the Auth0 Dashboard:
  1. Go to Auth0 Dashboard > Authentication > Database, and select the name of the connection you want to edit.
  2. Select the Authentication Methods tab. Then, in the Password section, select Configure to open the Password panel.
  3. Select the Security section to expand it, and then update the policies you want to change:
    • Check or uncheck the Password history box. Use the Password history size field to choose the number of previous passwords that users cannot reuse.
    • Check or uncheck the Password dictionary box. Use the Additional dictionary entries text field to specify additional prohibited passwords, one per line.
    • Check or uncheck the Block Personal Data box.
  4. Select the Composition section to expand it, then use the Strength slider to choose a level of complexity:
    • None: Requires a non-empty password.
    • Low: Requires a character length you specify.
    • Fair: All previous, and additionally requires a lower-case letter, an upper-case letter, and a number.
    • Good: All previous, and additionally requires a special character (!@#$%^&*).
    • Excellent: All previous, and additionally requires there to be no more than 2 identical characters in a row.
  5. Click Save.

Enforce password policies with the Management API

You can use the Management API to configure password policies when you create or update a database connection. For more information, see the following endpoints: You can view a database connection’s current password policies in the options object returned from the Get a connection endpoint.