Password checking enabled by default in OpenSearch 2.8.0?

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 2.8.0 (deployed via OpenSearch Helm Chart version 2.13.0)

Describe the issue:
I was surprised when my existing script to deploy OpenSearch using the official Helm chart failed. I eventually tracked the problem down to a failing curl command that creates a user using the security API. That curl command failed because the password I was using was considered “weak”. And, in the OpenSearch 2.8.0 documentation, I see there is new content referring to the use of the zxcvbn library and how it allows us to define a policy that “emphasizes a password complexity rather than it capacity to meet traditional criteria such as uppercase keys, numerals, and special characters.” That sounds like it could be very useful. However, enabling this feature seems like a breaking change to me since it broke my existing process. That would be Concern #1.

Concern #2 is that the documentation doesn’t appear to include information on how to disable this functionality. It mentions two properties ( and and how they can be set to adjust the length and required “strength”. But it doesn’t provide values to disable either/both of those settings.

My opensearch.yml file has neither of those keys set and yet the feature is working. I’ve looked at the Helm chart values.yml file and it also does not explicitly set either of these values. So, I’m not inheriting some default settings from the Helm chart. That seems to indicate these properties are enabled by default and set to some values but it isn’t clear what those values are. I guess that would be Concern #3.

Since the zxcvbn library uses its own criteria (based on commonly used passwords, English names, Wikipedia entries, etc.) it is difficult to know what to tell our users is acceptable. We could point them to the project’s GitHub repo and suggest they peruse the list of 30,000+ forbidden passwords but that seems unreasonable. We create a small number of users (via API) during our installation process after the user has provided passwords to us. Giving them guidance on what is acceptable or not would be helpful. At this point, it appears that the only way to validate a password is to attempt to use it. Let’s call that Concern #4.

It also seems this new feature is an alternative (or maybe a replacement) for existing functionality that allows us to define password validation that follows the traditional approach (i.e. requiring some combination of characters of different classes). But the documentation doesn’t indicate that the earlier approach is deprecated. So, if that is the case, I guess that would be Concern #5.


  1. Unannounced Breaking Change
  2. No documented way to disable this new functionality
  3. Enabled by default outside of the opensearch.yml mechanism with unknown default values
  4. No guidance to share with users on what is an acceptable/unacceptable value
  5. Conflicts with (or possibly meant to replace) existing password strength settings

Let me be clear: I’m not arguing against strong passwords or any particular technology. Obviously, security is important. My concern are around how this was rolled out and incomplete documentation.

Can anyone shed light on how I can disable this form of password checking?

Hey @GSmith

I just check on my lab server and understand now what your talking about.

Have you tried to modify these line 10 very_strong

to something like this 1 fair

As for disabling it, I havent found a way to do that yet, but we use AD DC, and SSO so the password policy for those is visible to all our users.

Any update on this from higher-up?

It would be nice to know what the default setting is for password_score_based_validation_strength if this is suddenly going to be enforced by default. We’re not able to figure this out easily with GET _cluster/settings, it’s not showing up.

EDIT: Tried setting this setting to “good”, and am getting:

Exception java.lang.IllegalArgumentException: Setting [] cannot be used with the configured: good. Expected one of [fair,strong,very_strong]


I am facing the same problem in a customers project where I need to update to latest OpenSearch from 2.7.0. Did you find a way to disable the passwort checking?