Password rejected even though it meets all requirements configured in password policy Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a000000xaqasak&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fpassword-rejected-even-though-it-meets-all-requirements
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Password rejected even though it meets all requirements configured in password policy
Published: Apr 19, 2017   -   Updated: Jun 22, 2018

Overview: the Okta password policy is not being applied correctly
  • Symptoms:
    • Password rejected even though it meets all requirements configured in password policy, OR
    • a password is accepted when it is expected that it should be rejected

Applies to: 
  • Okta Mastered accounts

Cause: Password does not conform to "Does not contain part of username" logic 

Resolution: 
  • Check to see if "Does not contain part of username" option is selected in password policy.  The logic this setting uses is as follows:
  1. The policy analyzes the username as "parts" that are separated by punctuation
  2. Any part that contains less than 4 characters is not considered by the policy
  3. The password cannot contain any of these individual parts in their entirety, but can contain a set of characters that comprise a portion of an individual part

Note. Common top level domains such as "com", "net", and "gov" are not considered as parts, and are therefore allowed in passwords.
 
Examples:
  • Username ed.jones@business.com contains the following parts: jones and business.  "Ed" is not considered as a part since it is less than 4 characters.
    • User attempts to set password to ed123456.  Password is accepted, because Ed is not considered to be a password "part".
  • Username andy.smith@business.com contains the following parts: andy, smith, and business
    • user attempts to set password to smith321.  Password is rejected , because it contains the part "smith".
  • Username asmith@business.com contains the following parts: asmith and business
    • user attempts to set password to smith321.  Password is accepted despite containing "smith," because smith is an incomplete portion of the part "asmith".