About changing Password Policy

Hello everyone.

I want to change the password policy from a database in order to delete special characters. I guess it is creating a Rule in order to dont allow users to write special characters… is it correct? How can I do it?
If there are already users with special characters in their password, will they be able to access to DB? Or the system wont allow them ?

Thank you in advance.

Hi @Totodile

Thanks for contacting us at Auth0 Community. We’re happy to help.

You can amend the password policy at the database connection level, there is also an option here to exclude the special characters requirement, please see https://auth0.com/docs/authenticate/database-connections/password-strength#change-your-policy for more information.

Existing users will not be affected, just new sign ups.

Warm regards.


Hello and thank you for your answer, @SaqibHussain

I’m trying to just make a rule in order to not allow the ‘?’ character in the password field, so the user gets a warning if the “'?” is introduced. Is it possible to do it?

Thank you.

Anyone can help me? Im stuck.


Hi @Totodile

The Special Characters we allow are the ones defined in OWASP Password Policy recommendation document, so they are: " !"#$%&'()*+,-./:;<=>?@[]^_`{|}~ "​​​​​​. You can review this in one of our libraries too: https://github.com/auth0/password-sheriff/blob/master/lib/rules/contains.js

As a result I don’t think you can exclude the question mark character from the list of special characters. If you have a special use case feel free to log some feedback here detailing your requirements for our product team to review.

Hi @SaqibHussain .

Thank you for your answer.
I will ask on feedback section if it’s possible or not.

Kind regards.