> ## Documentation Index > Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Configure the Flexible Password Policy for Auth0 Database Connections > Use the Flexible Password Policy to define password strength and composition rules for database connections in Auth0. export const ReleaseStageNotice = ({feature, stage, plans, contact, terms}) => { const stageTextMap = { "beta": "Beta", "ea": "Early Access" }; const stageText = stageTextMap[stage] || "a product release stage"; const prsLink = "/docs/troubleshoot/product-lifecycle/product-release-stages"; const linkify = (text, url) => { return {text}; }; const includeDetails = (plans, contact, terms) => { const hasDetails = terms || plans || contact; if (!hasDetails) return null; return {plans && <>This feature is available for {linkify(`${plans} plans`, "https://auth0.com/pricing")}. } {contact && "To participate, contact " + contact + ". "} {terms && <>By using this feature, you agree to the applicable Free Trial terms in Okta's {linkify("Master Subscription Agreement", "https://www.okta.com/legal")}.} ; }; return The {feature} feature is in {linkify(stageText, prsLink)}. {includeDetails(plans, contact, terms)} ; }; The Flexible Password Policy replaces the [legacy password policies](/docs/authenticate/database-connections/password-options) to provide increased granularity and configuration options. | Policy | Legacy Behavior | Flexible Password Policy Behavior | | ------------------- | ------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------- | | Password strength | Choose from five preset levels of complexity.

Silently truncates passwords beyond maximum length. | Customize all complexity requirements independently.

Choose behavior for passwords beyond maximum length (truncate or error). | | Password history | Configure the number of previous passwords that a user cannot reuse, up to 24. | Retains equivalent functionality. | | Password dictionary | Uses one built-in dictionary of 10,000 common words. | Choose between two built-in dictionaries of 10,000 or 100,000 common words. | | Block personal data | Blocks a fixed set of user data fields. | Fully customize which fields to block, up to 12. | In the Management API's configuration schema for database connections, the Flexible Password Policy also replaces the legacy password policy `options` objects and attributes with a single, configurable `options.password_options` object. ## Prerequisites The following requirements are necessary to use the Flexible Password Policy: * You must use a database connection with the Auth0 user store (`"strategy": "auth0"`). * The tenant must use Universal Login. * The tenant must not have a custom password reset screen configured. * If using the Management API, your access token must have the `read:connections` and `update:connections` scopes. Without them, you cannot retrieve or modify the database connection's configuration, respectively. ## Enable the Flexible Password Policy You can enable the Flexible Password Policy using the Auth0 Dashboard or the Management API. To enable the Flexible Password Policy from the Auth0 Dashboard: 1. Go to [Auth0 Dashboard > Authentication > Database](https://manage.auth0.com/#/connections/database), and select the name of the connection you want to edit. 2. Select the **Authentication Methods** tab. Then, in the **Password** section, select **Configure** to open the **Password** panel. 3. In the Flexible Password Policy banner at the top, select **Activate**, then select **Confirm**. This converts your database connection's existing password policies from the legacy configuration to the Flexible Password Policy configuration and returns you to the **Authentication Methods** tab. The same **Authentication Methods > Password > Configure** panel now shows the Flexible Password Policy configuration options in three sections: **Policy**, **Composition**, and **Security**. The **Policy** section contains the following settings: * **Password for login**: Allow or block users from logging in with a password. * **Password on signup**: Allow or block users from signing up with a password. * **Self-service change password**: Allow or block users from changing their own passwords. * **Support users without a password**: Toggle whether users can be created without a password via the Management and Authentication APIs. The **Composition** section contains the following settings: * **Minimum password length**: Enter the minimum password length. * **Additional composition rules** * **Required password options**: At least one uppercase letter, at least one lowercase letter, at least one number, at least one special character, and/or at least 3 of 4 of the previous character types. * **Block three or more sequential characters**, like ABC or 321 * **Block three or more identical characters in a row**, like 000 * **Maximum password length exceeded**: For passwords longer than 72 bytes, choose between **Truncate password** (allow longer passwords but only encrypt the first 72 bytes) or **Show error** (reject passwords longer than 72 bytes). The **Security** section contains the following settings: * **Password history**: Prevent password reuse. * **Password history size**: Choose the number of previous passwords that users cannot reuse. * **Password dictionary**: Prevent users from using passwords in the specified dictionary or in your additional dictionary entries. * **Default dictionary**: Choose between the [10,000 common words](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10k-most-common.txt) or [100,000 common words](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/100k-most-used-passwords-NCSC.txt) dictionaries. * **Additional dictionary entries**: Enter additional prohibited passwords, one per line. * **Block profile data in passwords**: Prevent users from setting passwords that contain the user's profile data. * **Select profile fields to block**: Choose from eight common default fields to block. * **Additional profile fields to block**: Enter additional profile fields to block. After you modify these settings, click **Save**. In your database connection's configuration, the `options` object contains its password policy settings. The Flexible Password Policy replaces legacy password objects and attributes in `options` with a single object (`options.password_options`) that has more granular settings. To enable the Flexible Password Policy using the Management API: First, get your database connection's current configuration using the [Get a connection endpoint](https://auth0.com/docs/api/management/v2/connections/get-connections-by-id). Save the entire configuration in the response. You can review the response body schema in the endpoint documentation. In the `options` object of the configuration, remove the following legacy password objects and values, and then append a single `password_options` object with your desired Flexible Password Policy configuration. | Legacy `options` attribute | Flexible Password Policy `options` attribute | | ----------------------------- | -------------------------------------------- | | `password_complexity_options` | `password_options.complexity` | | `password_history` | `password_options.history` | | `password_no_personal_info` | `password_options.profile_data` | | `password_dictionary` | `password_options.dictionary` | | `passwordPolicy` | Removed | As an example, the following two `options` password configurations are equivalent:
```json Legacy password policy example theme={null} "password_history": { "enable": true, "size": 5 }, "password_dictionary": { "enable": true, "dictionary": [ "badPassword", "reallyBadPassword" ] } ```
```json Flexible Password Policy example theme={null} "password_options": { "history": { "active": true, "size": 5 }, "dictionary": { "active": true, "default": "en_10k", "custom": [ "badPassword", "reallyBadPassword" ] } } ```
You can view the full schema for the `password_options` object in the API reference (as in the [Update a connection endpoint](https://auth0.com/docs/api/management/v2/connections/patch-connections-by-id) body parameters). Other password attributes outside of the `password_options` object remain unchanged, but are visible in the the Auth0 Dashboard's Flexible Password Policy settings: | Management API `options` attribute | Auth0 Dashboard setting | | ------------------------------------------------- | ----------------------------------------- | | `authentication_methods.password.enabled` | Policy > Password for login | | `authentication_methods.password.signup_behavior` | Policy > Password on signup | | `authentication_methods.password.api_behavior` | Policy > Support users without a password | | `disable_self_service_change_password` | Policy > Self-service change password | You can optionally update these attributes to modify your configuration. Update your database connection with the [Update a connection endpoint](https://auth0.com/docs/api/management/v2/connections/patch-connections-by-id). This endpoint overwrites the existing configuration with configuration you send, so include the entire modified object in your `PATCH` request to preserve your database connection's other settings. You can verify the update by getting your database connection's configuration again with the [Get a connection endpoint](https://auth0.com/docs/api/management/v2/connections/get-connections-by-id). If the response contains the `options.password_options` object, the Flexible Password Policy is enabled for that database connection. ## Revert to the legacy password policies To revert back to the legacy password policies, you need to use the Management API. Follow the same process as above to update the database connection with its original `options`, removing the entire `password_options` object.