authelia/docs/content/en/configuration/security/password-policy.md

3.0 KiB

title description lead date draft images menu weight toc aliases
Password Policy Password Policy Configuration Configuring the Password Policy. 2022-04-12T14:40:22+10:00 false
configuration
parent
security
104400 true
/docs/configuration/password_policy.html

Authelia allows administrators to configure an enforced password policy.

Configuration

password_policy:
  standard:
    enabled: false
    min_length: 8
    max_length: 0
    require_uppercase: false
    require_lowercase: false
    require_number: false
    require_special: false
  zxcvbn:
    enabled: false
    min_score: 3

Options

standard

This section allows you to enable standard security policies.

enabled

{{< confkey type="boolean" default="false" required="no" >}}

Enables standard password policy.

min_length

{{< confkey type="integer" default="8" required="no" >}}

Determines the minimum allowed password length.

max_length

{{< confkey type="integer" default="0" required="no" >}}

Determines the maximum allowed password length.

require_uppercase

{{< confkey type="boolean" default="false" required="no" >}}

Indicates that at least one UPPERCASE letter must be provided as part of the password.

require_lowercase

{{< confkey type="boolean" default="false" required="no" >}}

Indicates that at least one lowercase letter must be provided as part of the password.

require_number

{{< confkey type="boolean" default="false" required="no" >}}

Indicates that at least one number must be provided as part of the password.

require_special

{{< confkey type="boolean" default="false" required="no" >}}

Indicates that at least one special character must be provided as part of the password.

zxcvbn

This password policy enables advanced password strength metering, using zxcvbn.

Note that this password policy do not restrict the user's entry it just gives the user feedback as to how strong their password is.

enabled

{{< confkey type="boolean" default="false" required="no" >}}

Important Note: only one password policy can be applied at a time.

Enables zxcvbn password policy.

min_score

{{< confkey type="integer" default="3" required="no" >}}

Configures the minimum zxcvbn score allowed for new passwords. There are 5 levels in the zxcvbn score system (taken from github.com/dropbox/zxcvbn):

  • score 0: too guessable: risky password (guesses < 10^3)
  • score 1: very guessable: protection from throttled online attacks (guesses < 10^6)
  • score 2: somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)
  • score 3: safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
  • score 4: very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)

We do not allow score 0, if you set the min_score value to 0 instead the default will be used instead.