To change password requirements in Ory Identities (Ory Kratos), you need to adjust the password policy settings in your configuration. Here are the main options you can configure: ### Minimum Password Length By default, passwords must be at least 8 characters long. You can change this value using the Ory CLI:

ory patch identity-config "$PROJECT_ID" \   --replace '/selfservice/methods/password/config/min_password_length=12'

This example sets the minimum password length to 12 characters. All characters (unicode, ASCII) are allowed by default [Password policy](https://www.ory.sh/docs/concepts/password-policy). ### Similarity Check Ory checks that passwords are not too similar to user identifiers (like email or username). You can disable this check if needed:

ory patch identity-config "$PROJECT_ID" \   --replace '/selfservice/methods/password/config/identifier_similarity_check_enabled=false'

[Password policy](https://www.ory.sh/docs/concepts/password-policy) ### Leaked Password Check Ory checks passwords against the "Have I Been Pwned" database to prevent the use of compromised passwords. You can disable this check:

ory patch identity-config "$PROJECT_ID" \   --replace '/selfservice/methods/password/config/haveibeenpwned_enabled=false'

[Password policy](https://www.ory.sh/docs/concepts/password-policy) ### Password Complexity Ory follows NIST guidelines and does not require mixtures of character types or prohibit repeated characters. You cannot enforce complexity rules like "must include a number and a symbol" unless you implement additional checks in your own UI or logic. The main configurable requirement is the minimum length [Password complexity](https://www.ory.sh/docs/concepts/password-policy#password-complexity). --- For more advanced configuration, refer to the [Password Policy documentation](https://www.ory.sh/docs/concepts/password-policy). If you are self-hosting, you can also set these options in your

config.yml

file under the

selfservice.methods.password.config

section.