authelia/docs/configuration/password_policy.md

---
layout: default
title: Password Policy
parent: Configuration
nav_order: 18
---

# Password Policy

_Authelia_ allows administrators to configure an enforced password policy.

## Configuration

```yaml
password_policy:
  standard:
    enabled: false
    min_length: 8
    max_length: 0
    require_uppercase: false
    require_lowercase: false
    require_number: false
    require_special: false
  zxcvbn:
    enabled: false
    min_score: 3
```

## Options

### standard
<div markdown="1">
type: list
{: .label .label-config .label-purple }
required: no
{: .label .label-config .label-green }
</div>

This section allows you to enable standard security policies.

#### enabled
<div markdown="1">
type: boolean
{: .label .label-config .label-purple }
default: false
{: .label .label-config .label-blue }
required: no
{: .label .label-config .label-green }
</div>

Enables standard password policy.

#### min_length
<div markdown="1">
type: integer
{: .label .label-config .label-purple }
default: 8
{: .label .label-config .label-blue }
required: no
{: .label .label-config .label-green }
</div>

Determines the minimum allowed password length.

#### max_length
<div markdown="1">
type: integer
{: .label .label-config .label-purple }
default: 0
{: .label .label-config .label-blue }
required: no
{: .label .label-config .label-green }
</div>

Determines the maximum allowed password length.

#### require_uppercase
<div markdown="1">
type: boolean
{: .label .label-config .label-purple }
default: false
{: .label .label-config .label-blue }
required: no
{: .label .label-config .label-green }
</div>

Indicates that at least one UPPERCASE letter must be provided as part of the password.

#### require_lowercase
<div markdown="1">
type: boolean
{: .label .label-config .label-purple }
default: false
{: .label .label-config .label-blue }
required: no
{: .label .label-config .label-green }
</div>

Indicates that at least one lowercase letter must be provided as part of the password.

#### require_number
<div markdown="1">
type: boolean
{: .label .label-config .label-purple }
default: false
{: .label .label-config .label-blue }
required: no
{: .label .label-config .label-green }
</div>

Indicates that at least one number must be provided as part of the password.

#### require_special
<div markdown="1">
type: boolean
{: .label .label-config .label-purple }
default: false
{: .label .label-config .label-blue }
required: no
{: .label .label-config .label-green }
</div>

Indicates that at least one special character must be provided as part of the password.

### zxcvbn

This password policy enables advanced password strength metering, using [zxcvbn](https://github.com/dropbox/zxcvbn).

#### enabled
<div markdown="1">
type: boolean
{: .label .label-config .label-purple }
default: false
{: .label .label-config .label-blue }
required: no
{: .label .label-config .label-green }
</div>

_**Important Note:** only one password policy can be applied at a time._

Enables zxcvbn password policy.

#### min_score
<div markdown="1">
type: integer
{: .label .label-config .label-purple }
default: 3
{: .label .label-config .label-blue }
required: no
{: .label .label-config .label-green }
</div>

Configures the minimum zxcvbn score allowed for new passwords. There are 5 levels in the zxcvbn score system (taken from [github.com/dropbox/zxcvbn](https://github.com/dropbox/zxcvbn#usage)):

- score 0: too guessable: risky password (guesses < 10^3)
- score 1: very guessable: protection from throttled online attacks (guesses < 10^6)
- score 2: somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)
- score 3: safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
- score 4: very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)

We do not allow score 0, if you set the `min_score` value to 0 instead the default will be chosen.
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`---`
			`layout: default`
			`title: Password Policy`
			`parent: Configuration`
feat(configuration): configurable default second factor method (#3081) This allows configuring the default second factor method. 2022-04-17 23:58:24 +00:00			`nav_order: 18`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`---`

			`# Password Policy`
refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`_Authelia_ allows administrators to configure an enforced password policy.`

			`## Configuration`

			```yaml
			`password_policy:`
			`standard:`
refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00			`enabled: false`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`min_length: 8`
			`max_length: 0`
refactor(handlers): ppolicy (#3103) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 11:58:27 +00:00			`require_uppercase: false`
			`require_lowercase: false`
			`require_number: false`
			`require_special: false`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`zxcvbn:`
			`enabled: false`
feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server. 2022-04-15 09:30:51 +00:00			`min_score: 3`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			```

			`## Options`

			`### standard`
			`<div markdown="1">`
			`type: list`
refactor(handlers): ppolicy (#3103) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 11:58:27 +00:00			`{: .label .label-config .label-purple }`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`required: no`
			`{: .label .label-config .label-green }`
			`</div>`

refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00			`This section allows you to enable standard security policies.`

			`#### enabled`
			`<div markdown="1">`
feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server. 2022-04-15 09:30:51 +00:00			`type: boolean`
refactor(handlers): ppolicy (#3103) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 11:58:27 +00:00			`{: .label .label-config .label-purple }`
feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server. 2022-04-15 09:30:51 +00:00			`default: false`
			`{: .label .label-config .label-blue }`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`required: no`
			`{: .label .label-config .label-green }`
			`</div>`

refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00			`Enables standard password policy.`

			`#### min_length`
			`<div markdown="1">`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`type: integer`
refactor(handlers): ppolicy (#3103) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 11:58:27 +00:00			`{: .label .label-config .label-purple }`
			`default: 8`
			`{: .label .label-config .label-blue }`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`required: no`
			`{: .label .label-config .label-green }`
			`</div>`

refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00			`Determines the minimum allowed password length.`

			`#### max_length`
			`<div markdown="1">`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`type: integer`
refactor(handlers): ppolicy (#3103) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 11:58:27 +00:00			`{: .label .label-config .label-purple }`
			`default: 0`
			`{: .label .label-config .label-blue }`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`required: no`
			`{: .label .label-config .label-green }`
			`</div>`

refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00			`Determines the maximum allowed password length.`

			`#### require_uppercase`
			`<div markdown="1">`
feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server. 2022-04-15 09:30:51 +00:00			`type: boolean`
refactor(handlers): ppolicy (#3103) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 11:58:27 +00:00			`{: .label .label-config .label-purple }`
feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server. 2022-04-15 09:30:51 +00:00			`default: false`
			`{: .label .label-config .label-blue }`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`required: no`
			`{: .label .label-config .label-green }`
			`</div>`

refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00			`Indicates that at least one UPPERCASE letter must be provided as part of the password.`

			`#### require_lowercase`
			`<div markdown="1">`
feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server. 2022-04-15 09:30:51 +00:00			`type: boolean`
refactor(handlers): ppolicy (#3103) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 11:58:27 +00:00			`{: .label .label-config .label-purple }`
feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server. 2022-04-15 09:30:51 +00:00			`default: false`
			`{: .label .label-config .label-blue }`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`required: no`
			`{: .label .label-config .label-green }`
			`</div>`

refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00			`Indicates that at least one lowercase letter must be provided as part of the password.`

			`#### require_number`
			`<div markdown="1">`
feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server. 2022-04-15 09:30:51 +00:00			`type: boolean`
refactor(handlers): ppolicy (#3103) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 11:58:27 +00:00			`{: .label .label-config .label-purple }`
feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server. 2022-04-15 09:30:51 +00:00			`default: false`
			`{: .label .label-config .label-blue }`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`required: no`
			`{: .label .label-config .label-green }`
			`</div>`

refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00			`Indicates that at least one number must be provided as part of the password.`

			`#### require_special`
			`<div markdown="1">`
feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server. 2022-04-15 09:30:51 +00:00			`type: boolean`
refactor(handlers): ppolicy (#3103) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 11:58:27 +00:00			`{: .label .label-config .label-purple }`
feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server. 2022-04-15 09:30:51 +00:00			`default: false`
			`{: .label .label-config .label-blue }`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`required: no`
			`{: .label .label-config .label-green }`
			`</div>`

refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00			`Indicates that at least one special character must be provided as part of the password.`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00
			`### zxcvbn`

refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00			`This password policy enables advanced password strength metering, using [zxcvbn](https://github.com/dropbox/zxcvbn).`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00
refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00			`#### enabled`
			`<div markdown="1">`
feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server. 2022-04-15 09:30:51 +00:00			`type: boolean`
refactor(handlers): ppolicy (#3103) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 11:58:27 +00:00			`{: .label .label-config .label-purple }`
feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server. 2022-04-15 09:30:51 +00:00			`default: false`
			`{: .label .label-config .label-blue }`
feat(authentication): password policy (#2723) Implement a password policy with visual feedback in the web portal. Co-authored-by: Manuel Nuñez <@mind-ar> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2022-04-02 22:32:57 +00:00			`required: no`
			`{: .label .label-config .label-green }`
			`</div>`

refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00			`_Important Note: only one password policy can be applied at a time._`

			`Enables zxcvbn password policy.`

feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server. 2022-04-15 09:30:51 +00:00			`#### min_score`
			`<div markdown="1">`
			`type: integer`
			`{: .label .label-config .label-purple }`
			`default: 3`
			`{: .label .label-config .label-blue }`
			`required: no`
			`{: .label .label-config .label-green }`
			`</div>`

			`Configures the minimum zxcvbn score allowed for new passwords. There are 5 levels in the zxcvbn score system (taken from [github.com/dropbox/zxcvbn](https://github.com/dropbox/zxcvbn#usage)):`

			`- score 0: too guessable: risky password (guesses < 10^3)`
			`- score 1: very guessable: protection from throttled online attacks (guesses < 10^6)`
			`- score 2: somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)`
			`- score 3: safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)`
			`- score 4: very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)`
refactor: misc password policy refactoring (#3102) Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup. 2022-04-03 00:48:26 +00:00
feat(server): zxcvbn password policy server side (#3151) This is so the zxcvbn ppolicy is checked on the server. 2022-04-15 09:30:51 +00:00			We do not allow score 0, if you set the `min_score` value to 0 instead the default will be chosen.