Configuring the password policy

The password policy is a set of rules that define the password requirements for Kratos identities. They can be changed by modifying the following configuration parameters:

path/to/kratos/config.yml
selfservice:
  methods:
    password:
      enabled: true
      config:
        haveibeenpwned_enabled: true
        min_password_length: 8
        identifier_similarity_check_enabled: true

`haveibeenpwned_enabled`

If set to true, the password policy will check if the password has been found in the Have I Been Pwned database. The default value is true.

`min_password_length`

The minimum length of the password. The default value is 8, the minimum allowed value is 6.

`identifier_similarity_check_enabled`

If set to true, the password policy will check if the password is similar to the user identifier. The default value is true.

haveibeenpwned_enabled​

min_password_length​

identifier_similarity_check_enabled​

`haveibeenpwned_enabled`

`min_password_length`

`identifier_similarity_check_enabled`