Configure the Flexible Password Policy for Auth0 Database Connections

The Flexible Password Policy is currently in Early Access. By using this feature, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement. To learn more about Auth0’s product release cycle, read Product Release Stages.

The Flexible Password Policy replaces the legacy password policies to provide increased granularity and configuration options.

Policy	Legacy Behavior	Flexible Password Policy Behavior
Password strength	Choose from five preset levels of complexity. Silently truncates passwords beyond maximum length.	Customize all complexity requirements independently. Choose behavior for passwords beyond maximum length (truncate or error).
Password history	Configure the number of previous passwords that a user cannot reuse, up to 24.	Retains equivalent functionality.
Password dictionary	Uses one built-in dictionary of 10,000 common words.	Choose between two built-in dictionaries of 10,000 or 100,000 common words.
Block personal data	Blocks a fixed set of user data fields.	Fully customize which fields to block, up to 12.

In the Management API’s configuration schema for database connections, the Flexible Password Policy also replaces the legacy password policy options objects and values with a single, configurable password_options object.

Prerequisites

The following requirements are necessary to use the Flexible Password Policy:

You must use a database connection with the Auth0 user store ("strategy": "auth0").
The tenant must use Universal Login.
The tenant must not have a custom password reset screen configured.
If using the Management API, your access token must have the read:connections and update:connections scopes. Without them, you cannot retrieve or modify the database connection’s configuration, respectively.

Enable the Flexible Password Policy

You can enable the Flexible Password Policy using the Auth0 Dashboard or the Management API.

Auth0 Dashboard
Management API

To enable the Flexible Password Policy from the Auth0 Dashboard:

Go to Auth0 Dashboard > Authentication > Database, and select the name of the connection you want to edit.
Select the Authentication Methods tab. Then, in the Password section, select Configure to open the Password panel.
In the Flexible Password Policy banner at the top, select Activate, then select Confirm.

This converts your database connection’s existing password policies from the legacy configuration to the Flexible Password Policy configuration and returns you to the Authentication Methods tab.The same Authentication Methods > Password > Configure panel now shows the Flexible Password Policy configuration options in three sections: Policy, Composition, and Security.

Policy settings

The Policy section contains the following settings:

Password for login: Allow or block users from logging in with a password.
Password on signup: Allow or block users from signing up with a password.
Self-service change password: Allow or block users from changing their own passwords.
Support users without a password: Toggle whether users can be created without a password via the Management and Authentication APIs.

Composition settings

The Composition section contains the following settings:

Minimum password length: Enter the minimum password length.
Additional composition rules
- Required password options: At least one uppercase letter, at least one lowercase letter, at least one number, at least one special character, and/or at least 3 of 4 of the previous character types.
- Block three or more sequential characters, like ABC or 321
- Block three or more identical characters in a row, like 000
- Maximum password length exceeded: For passwords longer than 72 bytes, choose between Truncate password (allow longer passwords but only encrypt the first 72 bytes) or Show error (reject passwords longer than 72 bytes).

Security settings

The Security section contains the following settings:

Password history: Prevent password reuse.
- Password history size: Choose the number of previous passwords that users cannot reuse.
Password dictionary: Prevent users from using passwords in the specified dictionary or in your additional dictionary entries.
- Default dictionary: Choose between the 10,000 common words or 100,000 common words dictionaries.
- Additional dictionary entries: Enter additional prohibited passwords, one per line.
Block profile data in passwords: Prevent users from setting passwords that contain the user’s profile data.
- Select profile fields to block: Choose from eight common default fields to block.
- Additional profile fields to block: Enter additional profile fields to block.

After you modify these settings, click Save.

To enable the Flexible Password Policy using the Management API, you need update your database connection’s options configuration:

First, get your database connection’s current configuration using the Get a connection endpoint.
In the options object, remove the following legacy password objects and values:
- passwordPolicy
- password_complexity_options
- password_history
- password_no_personal_info
- password_dictionary
In the options object, append a single password_options object containing your desired Flexible Password Policy configuration. You can view the full schema for the password_options object in the API reference (as in the Update a connection endpoint body parameters).
Update your database connection with the new options object using the Update a connection endpoint.
This endpoint overwrites the entire options object with the version you provide, so include the entire modified object in your PATCH request to preserve your database connection’s other configuration.

As an example, the following two options configurations (one legacy, one Flexible Password Policy) both prevent users from using their five most recent passwords, any words in the 10,000 common words list, or the additional entries badPassword and reallyBadPassword:

Legacy password policy example

"password_history": {
    "enable": true,
    "size": 5
},
"password_dictionary": {
    "enable": true,
    "dictionary": [
        "badPassword",
        "reallyBadPassword"
    ]
}

Flexible Password Policy example

"password_options": {
    "history": {
        "active": true,
        "size": 5
    },
    "dictionary": {
        "active": true,
        "default": "en_10k",
        "custom": [
            "badPassword",
            "reallyBadPassword"
        ]
    }
}

You can verify the update by getting your database connection’s configuration with the Get a connection endpoint again. If the response contains the password_options object, the Flexible Password Policy is enabled for that database connection.

Revert to the legacy password policies

To revert back to the legacy password policies, you need to use the Management API. Follow the same process as above to update the database connection with its original options, removing the entire password_options object.

Add Login

Provision Users

Configure the Flexible Password Policy for Auth0 Database Connections

Prerequisites

Enable the Flexible Password Policy

Revert to the legacy password policies

Add Login

Provision Users

​Prerequisites

​Enable the Flexible Password Policy

​Revert to the legacy password policies

Prerequisites

Enable the Flexible Password Policy

Revert to the legacy password policies