Based on the knowledge sources provided, I don't see specific information about configuring custom password policies in Ory Kratos. The documentation mentions that Kratos has built-in password validation that goes beyond simple rules like requiring a character and a number, but doesn't detail how to create custom password policies. What we do know from the sources: 1. Kratos performs password validation including checking if passwords have been found in data breaches [Password Policy Violation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration#registration-form-validation) 2. There are configuration options for password hashing algorithms (BCrypt and Argon2id) with their respective parameters [Passwords settings](https://www.ory.sh/docs/self-hosted/kratos/configuration/password) 3. There was a feature request to allow checking whether a username/password would be accepted without actually registering a user, which indicates that password validation is handled internally by Kratos [Allow to check whether a username/password would be accepted](https://github.com/ory/network/issues/265) However, the knowledge sources don't explicitly mention if or how you can configure custom password policies beyond the built-in validation. If you need this functionality, you might want to check the most recent Ory Kratos documentation or ask in the Ory Community Slack for more specific information.

Based on the knowledge sources provided, I don't see specific information about where Ory Kratos stores password policy configurations in its database tables. The documentation mentions that Ory Kratos implements password policies following the Digital Identity Guidelines established by NIST, but doesn't detail the database schema or tables related to password policy storage. What we do know about Ory Kratos password policies: 1. Ory Kratos implements a password policy that: - Checks if a password has previously been leaked using the HIBP API - Checks if a password is too similar to one of the identifiers - Doesn't expire passwords [Best practices](https://www.ory.sh/docs/concepts/password-policy#best-practices) 2. There's a default minimum password length of 6 characters as shown in one of the error messages:

{
  "id": 4000032,
  "text": "The password must be at least 6 characters long, but got 5.",
  "type": "error",
  "context": {
    "actual_length": 5,
    "min_length": 6
  }
}

[The password must be at least 6 characters long](https://www.ory.sh/docs/kratos/concepts/ui-messages#the-password-must-be-at-least-6-characters-long-but-got-5-4000032) 3. Kratos uses PostgreSQL as its database in production deployments, but the specific tables for password policy storage aren't mentioned in the provided knowledge sources. [Deploy to production](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example) The knowledge sources don't contain enough information to identify the specific database table where password policies are stored in Ory Kratos. You might want to check the Ory Kratos database schema documentation or ask in the Ory community forums for more specific information about the database structure.

Yes, Ory Kratos allows you to disable specific aspects of its default password policy. Based on the knowledge sources, you can disable the following password policy features: ### Leaked Password Check You can disable the "Have I Been Pwned" (HiBP) breach database check, which prevents users from using commonly leaked passwords:

ory patch identity-config "$PROJECT_ID" \     --replace '/selfservice/methods/password/config/haveibeenpwned_enabled=false'

[Password policy](https://www.ory.sh/docs/concepts/password-policy) explains that this feature is enabled by default but can be toggled off. ### Identifier Similarity Check You can also disable the similarity check that prevents users from choosing passwords too similar to their identifiers (like email or username):

ory patch identity-config "$PROJECT_ID" \     --replace '/selfservice/methods/password/config/identifier_similarity_check_enabled=false'

[Password policy](https://www.ory.sh/docs/concepts/password-policy) mentions this feature is enabled by default but can be disabled. ### Minimum Password Length While you can't completely disable the minimum password length requirement, you can modify it:

ory patch identity-config "$PROJECT_ID" \     --replace '/selfservice/methods/password/config/min_password_length=12'

The default minimum length is 8 characters according to [Password policy](https://www.ory.sh/docs/concepts/password-policy). ### Important Security Consideration It's worth noting that disabling these security features will "significantly decrease the security of the service and not follow [NIST guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html)" as mentioned in [Host your own breached password detection API](https://www.ory.sh/docs/kratos/guides/hosting-own-have-i-been-pwned-api). If you're concerned about external API calls to HiBP, you can also host your own HiBP API instance instead of completely disabling the feature.

Based on the knowledge sources provided, Ory Kratos doesn't support configuring custom character-based password complexity rules like requiring at least 1 number, 1 uppercase letter, and 1 lowercase letter. Ory Kratos follows the NIST Digital Identity Guidelines, which specifically recommends against imposing such character composition rules: > "Verifiers SHOULD NOT impose other composition rules (such as, requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets." [Password complexity](https://www.ory.sh/docs/concepts/password-policy#password-complexity) Instead, Ory's password policy focuses on: 1. Minimum password length (default 8 characters) 2. Checking against breached password databases (HaveIBeenPwned) 3. Checking for similarity to user identifiers As stated in the documentation: > "Ory Identities implements a password policy that: > - Checks if a password has previously been leaked using the HIBP API > - Checks if a password is too similar to one of the identifiers > - Doesn't expire passwords." [Password policy](https://www.ory.sh/docs/concepts/password-policy#best-practices) The documentation doesn't mention any way to configure character-based complexity requirements like the ones you're asking about. This is intentional, as modern password security best practices have moved away from these types of requirements, which often lead to predictable patterns (like "Password1!") rather than truly secure passwords. If you need these specific password complexity rules, you might need to implement them in your own UI layer before submitting to Kratos, but be aware this goes against the security recommendations that Ory follows.

Based on the knowledge sources provided, there is no explicit feature in Ory Kratos that allows you to configure a password policy to prevent users from reusing their last X passwords. The documentation describes Ory's password policy implementation, which focuses on: 1. Checking if passwords have been leaked using the HaveIBeenPwned API 2. Checking if passwords are too similar to user identifiers 3. Enforcing minimum password length 4. Not expiring passwords [Password policy](https://www.ory.sh/docs/concepts/password-policy#best-practices) The NIST guidelines that Ory follows actually recommend against forcing arbitrary password changes: > "Verifiers SHOULD NOT impose other composition rules (such as, requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator." [Password complexity](https://www.ory.sh/docs/concepts/password-policy#password-complexity) While Ory does provide a hook to revoke active sessions after password changes:

selfservice:     flows:       settings:         after:           password:             hooks:               - hook: revoke_active_sessions

[Revoke other active user sessions after changing the password](https://www.ory.sh/docs/kratos/session-management/revoke-sessions-hook) There is no mention in the provided knowledge sources of a feature to track password history and prevent reuse of previous passwords. If this feature is important for your use case, you might need to implement it through custom logic using webhooks or other integration points, but it's not available as a built-in configuration option in Ory Kratos based on the provided documentation.

Based on the knowledge sources, Ory Kratos has a maximum password length of 72 characters. This is due to the BCrypt hashing algorithm that Ory uses to hash passwords. As mentioned in the documentation:

{
  "id": 4000033,
  "text": "The password must be at most 72 characters long, but got 80.",
  "type": "error",
  "context": {
    "actual_length": 80,
    "max_length": 72
  }
}

[The password must be at most 72 characters long](https://www.ory.sh/docs/kratos/concepts/ui-messages#the-password-must-be-at-most-72-characters-long-but-got-80-4000033) This limitation is further explained in the troubleshooting documentation: > BCrypt hashed passwords and secrets have a 72 character limit. This is a limitation of the BCrypt algorithm and the Golang BCrypt library. [BCrypt hashed passwords and secrets have 72 character limit](https://www.ory.sh/docs/troubleshooting/bcrypt-secret-length) The Golang BCrypt library has a maximum password length of 73 bytes, but Ory enforces a 72 character limit. Any password longer than this will be rejected with the error message shown above.

Based on the knowledge sources provided, there is no explicit documentation showing how to configure a custom maximum password length in Ory Kratos that would be lower than the default 72 characters. The default maximum password length of 72 characters is enforced due to the limitations of the BCrypt hashing algorithm that Ory uses:

{
  "id": 4000033,
  "text": "The password must be at most 72 characters long, but got 80.",
  "type": "error",
  "context": {
    "actual_length": 80,
    "max_length": 72
  }
}

[The password must be at most 72 characters long](https://www.ory.sh/docs/kratos/concepts/ui-messages#the-password-must-be-at-most-72-characters-long-but-got-80-4000033) While the documentation shows how to configure the minimum password length using the Ory CLI:

ory patch identity-config "$PROJECT_ID" \     --replace '/selfservice/methods/password/config/min_password_length=12'

[Password policy](https://www.ory.sh/docs/concepts/password-policy) There is no equivalent command or configuration option mentioned for setting a custom maximum password length below the default 72 characters. If you need to enforce a maximum length of 30 characters, you might need to implement this validation in your own UI layer before submitting to Kratos, as the knowledge sources don't indicate this is configurable within Kratos itself.

Based on the knowledge sources provided, Ory Kratos does have some capabilities for tracking login attempts, but there's no built-in feature specifically for tracking the last successful password login. Here's what the documentation shows: 1. Kratos tracks session information, including authentication methods and timestamps. When a user logs in successfully, Kratos creates a session that includes: - `authenticated_at`: When the authentication happened - `authentication_methods`: Which includes the method (e.g., "password") and when it was completed

json {   "authentication_methods": [     {       "method": "password",       "aal": "aal1",       "completed_at": "2023-02-03T15:41:22.898346346Z"     }   ] }

[Session Checks](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#session-checks) 2. There's an open GitHub issue (#3037) discussing the implementation of features for "Throttling repeated login requests & account lock" which proposes creating a new table to store login history:

Create a new table to store the login history of a specific identity. The schema is as follows: - id (uuid, primary key) - identity_id (foreign key referencing identities.id) - login_time (datetime) - login_status (enum: 'success', 'failure')

[Throttling repeated login requests & account lock](https://github.com/ory/kratos/issues/3037) However, this is an open issue, not a currently implemented feature. 3. Kratos does track some device information for sessions, including IP address, user agent, and location:

json "devices": [   {     "id": "3d4af645-002a-40ee-af42-f81ec2c614ac",     "ip_address": "",     "user_agent": "curl/7.81.0",     "location": "Munich, DE"   } ]

Based on the available information, while you can access the timestamp of the current session's authentication, there doesn't appear to be a built-in way to track or query the history of past successful password logins in the current version of Kratos. If you need this functionality, you might need to implement it yourself by: 1. Using webhooks to capture login events 2. Implementing your own tracking system 3. Waiting for the account lockout feature (issue #3037) to be implemented, which would include login history tracking The knowledge sources don't contain information about any configuration options for enabling such tracking.