...
- Passwords must be at least 8 characters in length (§5.1.1.1). The minimum and maximum length of the password is configurable.
- Password hints are not supported (§5.1.1.2).
- Password character composition checks are not supportedsupported (§5.1.1.1).
- Passwords do not expire on a scheduled basis (§5.1.1.2). That is, there is no ability to require a password change after (eg) 90 days. (A password can be manually expired or reset.)
- Passwords may not be reset using knowledge based pre-stored secrets (ie: password reset questions or "backup memorized secrets", §6.1.2.3).
Checking against commonly used or compromised passwords (CO-1501) and password strength meters (CO-1502) are not currently supported.
Password Hashing Formats
Currently the only supported hash format is crypt (PASSWORD_DEFAULT) as implemented by the PHP password_hash function. Additional formats are likely to be supported in future releases.
...