Ory Kratos uses the "Have I been pwned" breach database to check passwords and ensure users can't use commonly used ones like "password", "123456", etc. This feature is enabled by default. However, you can disable this feature by adjusting the configuration file. Here is how you can do it using the Ory CLI:

bash ory patch identity-config "$PROJECT_ID" \     --replace '/selfservice/methods/password/config/haveibeenpwned_enabled=false'

Replace

$PROJECT_ID

with your project's ID. Alternatively, you can disable this feature by setting the

haveibeenpwned_enabled

field to

false

in the configuration file:

yaml selfservice:     methods:       password:         config:           haveibeenpwned_enabled: false

Please note that this will effectively remove checks for commonly used passwords, and it's not recommended for production environments. For more details, you can refer to the [Ory documentation on password policy](https://www.ory.sh/docs/concepts/password-policy#leaked-password-check).

Yes, you can adjust the minimum password length in Ory Kratos. By default, the minimum password length is set to 8 characters. You can change this value using the Ory CLI:

bash ory patch identity-config "$PROJECT_ID" \     --replace '/selfservice/methods/password/config/min_password_length=3'

Replace

$PROJECT_ID

with your project's ID. Alternatively, you can adjust this setting in the configuration file:

yaml selfservice:     methods:       password:         config:           min_password_length: 3

This will set the minimum password length to 3 characters. Please note that using a short password length can reduce the security of your system and is not recommended for production environments. For more details, you can refer to the [Ory documentation on password policy](https://www.ory.sh/docs/concepts/password-policy#minimum-password-length).