Password Policy
The Password Policy defines the complexity rules that new passwords must satisfy. These rules are enforced in two places:
- The self-service password reset portal — rules are shown to the user before they submit a new password
- The admin local user creation and edit forms — same rules apply when an admin sets a password for a local user
Configuration
Password Policy settings are available at Configuration → Password Policy (or Users → Password Policy, depending on your version).
Password Strength (Master Toggle)
Enables or disables all complexity enforcement. When this toggle is off, no password rules are applied — any non-empty password is accepted.
Default: Disabled
When enabled, the following rules become configurable:
Minimum Password Length
The minimum number of characters a password must contain.
| Value | Range |
|---|---|
| Minimum | 1 character |
| Maximum | 255 characters |
Example: Setting this to 12 requires all passwords to be at least 12 characters long.
Require Uppercase Letter
When enabled, the password must contain at least one uppercase letter (A–Z).
Require Lowercase Letter
When enabled, the password must contain at least one lowercase letter (a–z).
Require Number
When enabled, the password must contain at least one numeric digit (0–9).
Require Special Character
When enabled, the password must contain at least one special character (e.g., ! @ # $ % ^ & * ( ) - _ = + [ ] { } ; : ' " , . < > / ? \ |).
How Rules Are Shown to Users
During a self-service password reset (Step 4 of the reset flow), the portal displays the currently active password requirements so users know what is expected before they submit:
- Minimum length is shown if set
- Each enabled character-type rule is listed as a requirement
If the submitted password does not meet all active rules, the form returns a validation error and the user must try again.
Example Configurations
Basic Policy (minimum security)
- Password Strength: Enabled
- Minimum Length: 8
- All character type rules: Disabled
Standard Corporate Policy
- Password Strength: Enabled
- Minimum Length: 10
- Require Uppercase: Yes
- Require Lowercase: Yes
- Require Number: Yes
- Require Special Character: No
High-Security Policy
- Password Strength: Enabled
- Minimum Length: 14
- Require Uppercase: Yes
- Require Lowercase: Yes
- Require Number: Yes
- Require Special Character: Yes
Important Considerations
- The policy applies globally to all local users and to all password reset flows — there is no per-application or per-user policy.
- Changing the policy takes effect immediately on the next password submission. Existing passwords are not retroactively invalidated.
- The policy cache is cleared automatically when settings are saved.
- LDAP user passwords are changed on the LDAP server; complexity rules on the LDAP server (e.g., Active Directory password policy) apply independently and are not overridden by this setting.