Skip to main content
The Flexible Password Policy replaces the legacy password policies to provide increased granularity and configuration options.
PolicyLegacy BehaviorFlexible Password Policy Behavior
Password strengthChoose from five preset levels of complexity.

Silently truncates passwords beyond maximum length.		Customize all complexity requirements independently.

Choose behavior for passwords beyond maximum length (truncate or error).
Password historyConfigure the number of previous passwords that a user cannot reuse, up to 24.Retains equivalent functionality.
Password dictionaryUses one built-in dictionary of 10,000 common words.Choose between two built-in dictionaries of 10,000 or 100,000 common words.
Block personal dataBlocks a fixed set of user data fields.Fully customize which fields to block.
In the configuration schema for database connections, the Flexible Password Policy also replaces the legacy password policy options objects and values (passwordPolicy, password_complexity_options, password_history, password_no_personal_info, password_dictionary) with a single, configurable password_options object.

Limits

The Flexible Password Policy is currently in Early Access.
  • During Early Access, the Flexible Password Policy configuration is only available using the Management API and is not available in the Auth0 Dashboard.
  • When you enable the Flexible Password Policy:
    • Legacy password policy configuration in your database connection’s options is ignored.
    • Legacy password policy configuration in the Auth0 Dashboard becomes read-only.

Enable the Flexible Password Policy

To enable the Flexible Password Policy, you need to update your database connection’s options object to include the new password_options object.

Prerequisites

The following requirements are necessary to use the Flexible Password Policy:
  • You must use a database connection with the Auth0 user store ("strategy": "auth0").
  • The tenant must use Universal Login.
  • The tenant must not have a custom password reset screen configured.
  • Your Management API access token must have the read:connections and update:connections scopes. Without them, you cannot retrieve or modify the database connection’s configuration, respectively.

1. Compose the new configuration

First, get your database connection’s current configuration using the Get a connection endpoint. You can view the full response schema in the API reference. In the options object, append a new password_options object. Do not remove or modify the rest of the options object to preserve your database connection’s overall configuration. For example, the following password_options object enforces passwords with a minimum length of 15 characters and one each of an uppercase character, a lowercase character, a number, and a special character, and additionally prevents users from reusing their most recent five passwords: 
"password_options": {
    "complexity": {
        "min_length": 15,
        "character_types": ["uppercase", "lowercase", "number", "special"],
        "character_type_rule": "all"
    },
    "history": {
        "active": true,
        "size": 5
    }
}

2. Update the database connection

Update your database connection with the new options object using the Update a connection endpoint. This endpoint overwrites the entire options object with the new options object you provide, so include the entirety of the original options object with the additional password_options object appended. You can verify the update by getting your database connection’s configuration with the Get a connection endpoint again. If the response contains the password_options object, the Flexible Password Policy is enabled for that database connection.

Revert to the legacy password policies

To revert back to the legacy password policies, follow the same process to update the database connection with its original options, removing the entire password_options object.