Password rejected even though it meets all requirements configured in password policy Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a000000xaqasak&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fpassword-rejected-even-though-it-meets-all-requirements
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Average Rating:
Password rejected even though it meets all requirements configured in password policy
Published: Apr 19, 2017   -   Updated: May 16, 2018

Issue:
  • Password rejected even though it meets all requirements configured in password policy, OR
  • a password is accepted when it is expected that it should be rejected

Applies to: 
  • Okta Mastered accounts
  • Password Policy

Cause: Password does not conform to "Does not contain part of username" logic 

Resolution: 
  • Check to see if "Does not contain part of username" option is selected in password policy.  The logic this setting uses is as follows:
  1. The policy analyzes the username as "parts" that are separated by punctuation
  2. Any part that contains less than 3 characters is not considered by the policy
  3. The password cannot contain any of these individual parts in their entirety, but can contain a set of characters that comprise a portion of an individual part
Examples:
  • Username john.smith@business.com contains the following parts: john, smith, business and com
    • User attempts to set password to Welcome123.  Password is accepted, because Okta does not reject the part "com".
  • Username ed.jones@business.com contains the following parts: jones, business and com.  "Ed" is not considered as a part since it is less than 3 characters.
    • User attempts to set password to ed123456.  Password is accepted, because Ed is not considered to be a password "part".
  • Username andy.smith@business.com contains the following parts: andy, smith, business, and com
    • user attempts to set password to smith321.  Password is rejected , because it contains the part "smith".
  • Username asmith@business.com contains the following parts: asmith, business and com
    • user attempts to set password to smith321.  Password is accepted despite containing "smith," because smith is an incomplete portion of the part "asmith".

Note. Common top level domains such as "com", "net", and "gov" are allowed in passwords.

Post a Comment