The Okta password policy is not being applied correctly.
Symptoms:
-
Password rejected even though it meets all requirements configured in the password policy.
OR
-
A password that contains part of the username is accepted when it should be rejected.
- Okta Mastered Users
- Management and Monitoring
- Okta Classic Engine
-
In the Okta Admin Console, navigate to Security > Authentication > Password.
-
Check to see if the Does not contain part of username option is enabled in the password policy that is applied to the user.
-
When this setting is enabled, the password policy evaluates the username as "parts" that are separated by punctuation.
-
Any part that contains fewer than 4 characters (that is, Tom, Sue) is not evaluated by the policy.
-
The password cannot contain any of the individual parts, but can contain an incomplete portion of a part.
-
NOTE: Common top-level domains such as "com", "net", and "gov" are not evaluated as parts and are therefore allowed in passwords.
Examples:
-
The username ed.jones@business.com contains the following "parts:" jones and business. "Ed" is not evaluated since it is less than 4 characters.
-
The user attempts to set a password to ed123456. Password is accepted because Ed is not considered to be a password "part".
-
-
The username andy.smith@business.com contains the following "parts:" andy, smith, and business.
-
The user attempts to set a password to smith321. The password is rejected because it contains the part "smith".
-
-
The username asmith@business.com contains the following "parts:" asmith and business.
- The user attempts to set a password to smith321. Password is accepted despite containing "smith" because smith is an incomplete portion of the part "asmith".
NOTE: For security reasons, Okta does not disclose what exact criteria from the Password Policy are not met during Password Validation.
