diff --git a/locales/en.json b/locales/en.json
index c86a57553..6cfab9109 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -369,6 +369,7 @@
     "firewall_rules_cmd_failed": "Some firewall rule commands have failed. More info in log.",
     "global_settings_reset_success": "Reset global settings",
     "global_settings_setting_admin_strength": "Admin password strength",
+    "global_settings_setting_admin_strength_help": "These requirements are only enforced when defining the password",
     "global_settings_setting_backup_compress_tar_archives": "Compress backups",
     "global_settings_setting_backup_compress_tar_archives_help": "When creating new backups, compress the archives (.tar.gz) instead of uncompressed archives (.tar). N.B. : enabling this option means create lighter backup archives, but the initial backup procedure will be significantly longer and heavy on CPU.",
     "global_settings_setting_nginx_compatibility": "NGINX Compatibility",
@@ -392,12 +393,13 @@
     "global_settings_setting_ssh_allow_deprecated_dsa_hostkey": "Allow DSA hostkey",
     "global_settings_setting_ssh_allow_deprecated_dsa_hostkey_help": "Allow the use of (deprecated) DSA hostkey for the SSH daemon configuration",
     "global_settings_setting_ssh_compatibility": "SSH Compatibility",
-    "global_settings_setting_ssh_compatibility_help": "Compatibility vs. security tradeoff for the SSH server. Affects the ciphers (and other security-related aspects)",
+    "global_settings_setting_ssh_compatibility_help": "Compatibility vs. security tradeoff for the SSH server. Affects the ciphers (and other security-related aspects). See https://infosec.mozilla.org/guidelines/openssh for more info.",
     "global_settings_setting_ssh_password_authentication": "Password authentication",
     "global_settings_setting_ssh_password_authentication_help": "Allow password authentication for SSH",
     "global_settings_setting_ssh_port": "SSH port",
     "global_settings_setting_ssowat_panel_overlay_enabled": "SSOwat panel overlay",
     "global_settings_setting_user_strength": "User password strength",
+    "global_settings_setting_user_strength_help": "These requirements are only enforced when defining the password",
     "global_settings_setting_webadmin_allowlist": "Webadmin IP allowlist",
     "global_settings_setting_webadmin_allowlist_help": "IP adresses allowed to access the webadmin.",
     "global_settings_setting_webadmin_allowlist_enabled": "Enable Webadmin IP allowlist",
diff --git a/maintenance/missing_i18n_keys.py b/maintenance/missing_i18n_keys.py
index e152710ef..f85b49219 100644
--- a/maintenance/missing_i18n_keys.py
+++ b/maintenance/missing_i18n_keys.py
@@ -150,7 +150,7 @@ def find_expected_string_keys():
     # Global settings
     global_config = toml.load(open(ROOT + "share/config_global.toml"))
     # Boring hard-coding because there's no simple other way idk
-    settings_without_help_key = ["admin_strength", "smtp_relay_host", "smtp_relay_password", "smtp_relay_port", "smtp_relay_user", "ssh_port", "ssowat_panel_overlay_enabled", "user_strength"]
+    settings_without_help_key = ["smtp_relay_host", "smtp_relay_password", "smtp_relay_port", "smtp_relay_user", "ssh_port", "ssowat_panel_overlay_enabled"]
 
     for panel in global_config.values():
         if not isinstance(panel, dict):
diff --git a/share/config_global.toml b/share/config_global.toml
index f13072704..775f02cdf 100644
--- a/share/config_global.toml
+++ b/share/config_global.toml
@@ -5,20 +5,30 @@ i18n = "global_settings_setting"
 name = "Security"
     [security.password]
     name = "Passwords"
+
         [security.password.admin_strength]
-        type = "number"
+        type = "select"
+        choices.1 = "Require at least 8 chars"
+        choices.2 = "ditto, but also require at least one digit, one lower and one upper char"
+        choices.3 = "ditto, but also require at least one special char"
+        choices.4 = "ditto, but also require at least 12 chars"
         default = 1
 
         [security.password.user_strength]
-        type = "number"
+        type = "select"
+        choices.1 = "Require at least 8 chars"
+        choices.2 = "ditto, but also require at least one digit, one lower and one upper char"
+        choices.3 = "ditto, but also require at least one special char"
+        choices.4 = "ditto, but also require at least 12 chars"
         default = 1
-    
+
     [security.ssh]
     name = "SSH"
         [security.ssh.ssh_compatibility]
         type = "select"
+        choices.intermediate = "Intermediate (compatible with older softwares)"
+        choices.modern = "Modern (recommended)"
         default = "modern"
-        choices = ["intermediate", "modern"]
 
         [security.ssh.ssh_port]
         type = "number"
@@ -26,43 +36,37 @@ name = "Security"
 
         [security.ssh.ssh_password_authentication]
         type = "boolean"
-        yes = "True"
-        no = "False"
-        default = "False"
+        default = true
 
         [security.ssh.ssh_allow_deprecated_dsa_hostkey]
         type = "boolean"
-        yes = "True"
-        no = "False"
-        default = "False"
+        default = false
 
     [security.nginx]
     name = "NGINX"
         [security.nginx.nginx_redirect_to_https]
         type = "boolean"
-        yes = "True"
-        no = "False"
-        default = "True"
+        default = true
 
         [security.nginx.nginx_compatibility]
         type = "select"
+        choices.intermediate = "Intermediate (compatible with Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11, Opera 20, and Safari 9)"
+        choices.modern = "Modern (compatible with Firefox 63, Android 10.0, Chrome 70, Edge 75, Opera 57, and Safari 12.1)"
         default = "intermediate"
-        choices = ["intermediate", "modern"]
 
     [security.postfix]
     name = "Postfix"
         [security.postfix.postfix_compatibility]
         type = "select"
+        choices.intermediate = "Intermediate (allows TLS 1.2)"
+        choices.modern = "Modern (TLS 1.3 only)"
         default = "intermediate"
-        choices = ["intermediate", "modern"]
 
     [security.webadmin]
     name = "Webadmin"
         [security.webadmin.webadmin_allowlist_enabled]
         type = "boolean"
-        yes = "True"
-        no = "False"
-        default = "False"
+        default = false
 
         [security.webadmin.webadmin_allowlist]
         type = "tags"
@@ -74,9 +78,7 @@ name = "Security"
     name = "Experimental"
         [security.experimental.security_experimental_enabled]
         type = "boolean"
-        yes = "True"
-        no = "False"
-        default = "False"
+        default = false
 
 
 [email]
@@ -85,23 +87,17 @@ name = "Email"
     name = "POP3"
         [email.pop3.pop3_enabled]
         type = "boolean"
-        yes = "True"
-        no = "False"
-        default = "False"
+        default = false
     
     [email.smtp]
     name = "SMTP"
         [email.smtp.smtp_allow_ipv6]
         type = "boolean"
-        yes = "True"
-        no = "False"
-        default = "True"
+        default = true
 
         [email.smtp.smtp_relay_enabled]
         type = "boolean"
-        yes = "True"
-        no = "False"
-        default = "False"
+        default = false
         
         [email.smtp.smtp_relay_host]
         type = "string"
@@ -132,14 +128,10 @@ name = "Other"
     name = "SSOwat"
         [misc.ssowat.ssowat_panel_overlay_enabled]
         type = "boolean"
-        yes = "True"
-        no = "False"
-        default = "True"
+        default = true
     
     [misc.backup]
     name = "Backup"
         [misc.backup.backup_compress_tar_archives]
         type = "boolean"
-        yes = "True"
-        no = "False"
-        default = "False"
+        default = false
diff --git a/src/migrations/0024_global_settings_to_configpanel.py b/src/migrations/0024_global_settings_to_configpanel.py
index 82b5580ae..e1d4d190b 100644
--- a/src/migrations/0024_global_settings_to_configpanel.py
+++ b/src/migrations/0024_global_settings_to_configpanel.py
@@ -29,12 +29,12 @@ class MyMigration(Migration):
             raise YunohostError(f"Can't open setting file : {e}", raw_msg=True)
 
         settings = {
-            translate_legacy_settings_to_configpanel_settings(k): v["value"]
+            translate_legacy_settings_to_configpanel_settings(k).split('.')[-1]: v["value"]
             for k, v in old_settings.items()
         }
 
-        if settings.get("email.smtp.smtp_relay_host") != "":
-            settings["email.smtp.smtp_relay_enabled"] = "True"
+        if settings.get("smtp_relay_host"):
+            settings["smtp_relay_enabled"] = True
 
         # Here we don't use settings_set() from settings.py to prevent
         # Questions to be asked when one run the migration from CLI.
diff --git a/src/utils/password.py b/src/utils/password.py
index 565a6aca7..42ed45ddd 100644
--- a/src/utils/password.py
+++ b/src/utils/password.py
@@ -86,7 +86,7 @@ class PasswordValidator:
             # use as a script by ssowat.
             # (or at least that's my understanding -- Alex)
             settings = yaml.load(open("/etc/yunohost/settings.yml", "r"))
-            setting_key = "security.password." + profile + "_strength"
+            setting_key = profile + "_strength"
             self.validation_strength = int(settings[setting_key])
         except Exception:
             # Fallback to default value if we can't fetch settings for some reason