Hi! Is there any clear documentation about password validation? I want to pre validat with my frontend. Like at least 8 characters. But are there more rules which I can use?

Hey Tom, Are you on Ory Cloud or self-hosting? In Ory Kratos those rules are currently hardcoded, also see this issue: https://github.com/ory/kratos/issues/970

Hi self hosting, playing around. Yes, I did read that. It is not that I want to change them. But I want to "pre-validate" in my frontend application. So, I have to know the rules which I can use. I know I can not validat everithing. But everything I can catch before it will be send to the backend.

I see, maybe this list can help https://github.com/ory/kratos/blob/master/cmd/clidoc/main.go those should be all that are related to login/sign up. • " MinLength": • " InvalidFormat": • " PasswordPolicyViolation": • " InvalidCredentials": • " DuplicateCredentials": • " TOTPVerifierWrong": • " LookupAlreadyUsed": • " LookupInvalid": • " IdentifierMissing": • " NoTOTPDevice": • " NoLookup": • " NoWebAuthnDevice": I wonder where a good place in the documentation would be for this, where did you look for it if I may ask? ps: oh and let me know if this is indeed what you were searching.

I think I can go with that for now. I can look with the errors which rules are attached. I did read the complete documentation before I started. So, I knew there was a page with the concept about passwords. It is this page: https://www.ory.sh/kratos/docs/concepts/security/ Under Password Policy.

Neat, let me know if you succeed! Will make a note to add something, the security page could be a good place, thanks for the suggestion!

Hi Vincent, I couldn't quite figure it out with the link you provided. But I found the following function: https://github.com/ory/kratos/blob/bb5846ecb446b9e58b2a4949c678fddac4bbac4f/selfservice/strategy/password/validator.go#L144 It looks like the first rule (min lenght 8 ) can be impelemented in my frontend. And the rule which checks for difference with de identifier (I can try). Is this the complete validation function? Shouldn't there be a max length? This in connection with any problems of hashing and saving (DB) the password? Taking into account "Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length".

Hello @User, this fell off my radar, apologies. We just got a contribution adding configuration for min length and more https://github.com/ory/kratos/pull/2118 I am not sure if the max length can cause problems in backend, but could you limit this in the frontend form? Feel free to open an issue if you feel this is a feature that should be considered in Ory Kratos, then it wont get lost 😉