> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure Password Policies in Auth0 Database Connections

> Enforce password policies in database connection to disallow repeat passwords, common passwords, personal data in passwords, and insufficiently complex passwords.

## Available password policies

When using the Auth0 data store or a custom database connection, you can enforce the following password policies.

| Policy              | Description                                                                                                                                                                                                                                                                      |
| ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Password history    | Users cannot reuse their most recent passwords. Auth0 retains up to 24 passwords of history while this policy is enabled.                                                                                                                                                        |
| Password dictionary | Users cannot use passwords in the [default dictionary list](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10k-most-common.txt) of 10,000 common passwords or any additional passwords you prohibit (based on case-insensitive comparison). |
| Block personal data | Users cannot use passwords containing the values of `name`, `username`, `nickname`, `user_metadata.name`, `user_metadata.first`, `user_metadata.last`, or the first part of the their email (before the `@`).                                                                    |
| Password strength   | Users cannot use passwords that do not meet the chosen complexity requirements. There are 5 levels to choose from matching the [OWASP password recommendations](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md).                |

You can configure these options in the Auth0 Dashboard or by using the Management API.

## Enforce password policies with the Auth0 Dashboard

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Password policies for [social and enterprise connections](/docs/authenticate/identity-providers) are enforced by each provider, not by Auth0's database connection password policies.
</Callout>

To enable or disable password policies from the Auth0 Dashboard:

1. Go to [Auth0 Dashboard > Authentication > Database](https://manage.auth0.com/#/connections/database), and select the name of the connection you want to edit.

2. Select the **Authentication Methods** tab. Then, in the **Password** section, select **Configure** to open the **Password** panel.

3. Select the **Security** section to expand it, and then update the policies you want to change:

   * Check or uncheck the **Password history** box. Use the **Password history size** field to choose the number of previous passwords that users cannot reuse.

   * Check or uncheck the **Password dictionary** box. Use the **Additional dictionary entries** text field to specify additional prohibited passwords, one per line.

   * Check or uncheck the **Block Personal Data** box.

4. Select the **Composition** section to expand it, then use the **Strength** slider to choose a level of complexity:

   * **None**: Requires a non-empty password.
   * **Low**: Requires a character length you specify.
   * **Fair**: All previous, and additionally requires a lowercase letter, an uppercase letter, and a number.
   * **Good**: Additionally requires at least three of a lowercase letter, an uppercase letter, a number, and a special character (`!@#$%^&*`).
   * **Excellent**: All previous, and additionally requires there to be no more than 2 identical characters in a row.

5. Click **Save**.

## Enforce password policies with the Management API

You can use the Management API to configure password policies when you create or update a database connection. For more information, see the following endpoints:

* [Create a connection endpoint](https://auth0.com/docs/api/management/v2/connections/post-connections)
* [Update a connection endpoint](https://auth0.com/docs/api/management/v2/connections/patch_connections_by_id).

You can view a database connection's current password policies in the `options` object returned from the [Get a connection endpoint](https://auth0.com/docs/api/management/v2/connections/get-connections-by-id).