The documentation for the Personal Data password policy states that the option disallows users from setting passwords containing personal data. However, the validation logic permits specific substrings of the username or email address.

For example, a user with the email <john.doe@domain.com> can successfully set passwords containing specific parts of the email address, such as JohnDoe, doe, or Doe, even though these strings appear in the username or email fields.

• Auth0 Database Connections

• Password Policy

With the Personal Data policy option enabled, the system checks the entire string preceding the @ symbol in the email address (for example, <firstpart>@<example.com>). The validation logic does not separate the string further based on delimiters.

The validation logic operates on the exact string found before the @ symbol.

• If the user's name is John, the password cannot include John. For example, John1234 is not allowed.

• For the email <john.doe@domain.com>, the system flags passwords containing the exact string john.doe as invalid.

• Passwords that include substrings such as johndoe, john, or doe remain valid because the system does not break down the prefix john.doe into smaller components.