Skip to main content

Configuring The Password Policy

The password policy is a set of rules that define the password requirements for Kratos identities. They can be changed by modifying the following configuration parameters:

path/to/kratos/config.yml
selfservice:
methods:
password:
enabled: true
config:
haveibeenpwned_enabled: true
min_password_length: 8
identifier_similarity_check_enabled: true

haveibeenpwned_enabled

If set to true, the password policy will check if the password has been found in the Have I Been Pwned database. The default value is true.

min_password_length

The minimum length of the password. The default value is 8, the minimum allowed value is 6.

identifier_similarity_check_enabled

If set to true, the password policy will check if the password is similar to the user identifier. The default value is true.