Yes, this is the expected behavior. When you use the CreateIdentity endpoint in the Ory API, it does not enforce password policies. This is because the endpoint is designed to allow you to import existing user data, including passwords, into Ory. However, Ory does have robust password policies in place for other flows. For example, it checks passwords against the "Have I been pwned" breach database to prevent users from using commonly used passwords. It also ensures a sufficient Levenshtein-Distance between the identifier and the password to prevent weak passwords. The minimum password length is 8 characters by default. These policies follow the guidelines established by the National Institute of Standards and Technology (NIST) and the National Cyber Security Centre (NCSC). If you import a password using the CreateIdentity endpoint, the user will need to update their password according to the policy themselves using self-service flows. Here is an example of how to import a clear text password:

json {    "schema_id": "<preset://email>",    "traits": {    "email": "[[email protected]]"    },    "credentials": {    "password": {    "config": {    "password": "the-password"    }    }    }   }

In this example, the password

the-password

will be hashed according to the configured password hashing algorithm and stored in the database. The identity will be able to sign in using

[[email protected]]

and

the-password

as credentials. Sources: - [Importing credentials](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#importing-credentials) - [Password policy](https://www.ory.sh/docs/concepts/password-policy) - [Leaked password check](https://www.ory.sh/docs/concepts/password-policy#leaked-password-check)

I'm sorry, but the provided knowledge sources do not contain information about changes in password enforcement in the CreateIdentity endpoint from versions prior to version 1 of Ory. For detailed information about changes in different versions of Ory, I recommend checking the official Ory changelog or documentation.

Ory Kratos enforces password strength during the registration and password change flows. It checks if a password has previously been leaked using the HIBP API, checks if a password is too similar to one of the identifiers, and doesn't expire passwords. However, these checks are not performed when you directly create or update an identity using the API. If you want to enforce password strength when creating identities, you would need to implement the password strength checks in your own application before calling the Ory Kratos API. You can follow the guidelines provided by Ory in their [Password Policy documentation](https://www.ory.sh/docs/concepts/password-policy). For example, you could use a password strength checking library in your application to ensure that passwords meet your requirements before calling the Ory Kratos API to create or update an identity. Remember, when you use the CreateIdentity or UpdateIdentity endpoints, you can provide either a plain text password or a hashed password in PHC format. If you provide a plain text password, Ory Kratos will hash it for you. Here is an example of how to create an identity with a password:

json {   "schema_id": "default",   "traits": {     "email": "[[email protected]]"   },   "credentials": {     "password": {       "config": {         "password": "the-password"       }     }   } }

In this example, the password

the-password

will be hashed according to the configured password hashing algorithm and stored in the database. The identity will be able to sign in using

[[email protected]]

and

the-password

as credentials. Sources: - [Create Identity API](https://www.ory.sh/docs/kratos/reference/api#operation/createIdentity) - [Password Policy](https://www.ory.sh/docs/concepts/password-policy)