Set to true to disallow the username as part of the password.

Default is false.


Set the number of days after which a password expires. Login attempts fail if the user does not reset the password before expiration.


Set the number of previous password that will not be allowed to be set as new password. If the option is not set or set to 0, no previous passwords will be considered.

Valid values are >= 0 and <= 20.
Default is 0.


Set to true if a request to reset the password should return a success response even if the provided email address is invalid, or false if the request should return an error response if the email address is invalid.

Default is true.


Set to true if a password reset token should be reused in case another token is requested but there is a token that is still valid, i.e. has not expired. This avoids the often observed issue that a user requests multiple emails and does not know which link contains a valid token because each newly generated token would invalidate the previous token.

Default is false.


Set the validity duration of the password reset token in seconds after which the token expires. The token is used in the link that is set in the email. After the token expires, the link becomes invalid and a new link has to be sent. If the option is not set or set to undefined, then the token never expires.

For example, to expire the token after 2 hours, set a value of 7200 seconds (= 60 seconds * 60 minutes * 2 hours).

Default is undefined.


Set the error message to be sent.

Default is Password does not meet the Password Policy requirements.


Set a callback function to validate a password to be accepted.

If used in combination with validatorPattern, the password must pass both to be accepted.


Set the regular expression validation pattern a password must match to be accepted.

If used in combination with validatorCallback, the password must pass both to be accepted.