@johnathon

These are the steps FusionAuth takes to check whether a password contains special characters:

Convert the Java String to a char[] (a char is a 16-bit unicode value in Java) Check each character c to determine whether it is a special character using
!Character.isAlphabetic(c) && !Character.isDigit(c) If any character in the string returns true for the above check, we consider it to contain a special character

A duplicate of https://fusionauth.io/community/forum/topic/438/password-complexity-rules

But the easiest way to see this is in the tenant API, since that is where they are configured.

At time of writing, here are the options.

Screen Shot 2021-05-12 at 1.50.12 PM.png

If using the API, you should receive a 203 on Login once you attempt login with the correct password. Your application should check the status code and send the user to the appropriate place to change their password.

If using the hosted login pages, you should end up on the /password/change page after logging in.

The rules apply only when they change their password in the future.

We don't have any way of knowing the user's current password.

You can, of course, force the user to change their password, and then the new password rules would apply. You can do this in the admin ui or via updating the passwordChangeRequired field in the user object via the API.

Head over to the admin, and click tenants.

There you will find your default tenant. edit that to change your password strength etc.

(You can also do that for multiple tenants if you have them or via the Tenants API.)