ENG-990: Disallow password which is the same as user's login (#1225)

kingds · web-flow · commit 10bad463b2cb · 2026-02-24T20:07:41.000-07:00
Added a field `PasswordValidationRules.disallowUserLoginId`, configurable per tenant. If enabled, passwords will be rejected if they contain the user's email, username, or phone number.
diff --git a/src/main/java/io/fusionauth/domain/PasswordValidationRules.java b/src/main/java/io/fusionauth/domain/PasswordValidationRules.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, FusionAuth, All Rights Reserved
+ * Copyright (c) 2019-2026, FusionAuth, All Rights Reserved
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,9 @@
 public class PasswordValidationRules implements Buildable<PasswordValidationRules> {
   public PasswordBreachDetection breachDetection = new PasswordBreachDetection();
 
+  // Reject passwords that include the user's email, username, or phone number
+  public boolean disallowUserLoginId;
+
   public int maxLength = 256;
 
   public int minLength;
@@ -49,6 +52,7 @@ public PasswordValidationRules() {
   }
 
   public PasswordValidationRules(PasswordValidationRules other) {
+    this.disallowUserLoginId = other.disallowUserLoginId;
     this.breachDetection = new PasswordBreachDetection(other.breachDetection);
     this.maxLength = other.maxLength;
     this.minLength = other.minLength;
@@ -68,7 +72,8 @@ public boolean equals(Object o) {
       return false;
     }
     PasswordValidationRules that = (PasswordValidationRules) o;
-    return maxLength == that.maxLength &&
+    return disallowUserLoginId == that.disallowUserLoginId &&
+           maxLength == that.maxLength &&
            minLength == that.minLength &&
            requireMixedCase == that.requireMixedCase &&
            requireNonAlpha == that.requireNonAlpha &&
@@ -79,7 +84,7 @@ public boolean equals(Object o) {
 
   @Override
   public int hashCode() {
-    return Objects.hash(breachDetection, maxLength, minLength, rememberPreviousPasswords, requireMixedCase, requireNonAlpha, requireNumber, validateOnLogin);
+    return Objects.hash(disallowUserLoginId, breachDetection, maxLength, minLength, rememberPreviousPasswords, requireMixedCase, requireNonAlpha, requireNumber, validateOnLogin);
   }
 
   @Override
