2022-04-03 05:32:57 +07:00
---
layout: default
title: Password Policy
parent: Configuration
2022-04-18 06:58:24 +07:00
nav_order: 18
2022-04-03 05:32:57 +07:00
---
# Password Policy
2022-04-03 07:48:26 +07:00
2022-04-03 05:32:57 +07:00
_Authelia_ allows administrators to configure an enforced password policy.
## Configuration
```yaml
password_policy:
standard:
2022-04-03 07:48:26 +07:00
enabled: false
2022-04-03 05:32:57 +07:00
min_length: 8
max_length: 0
2022-04-03 18:58:27 +07:00
require_uppercase: false
require_lowercase: false
require_number: false
require_special: false
2022-04-03 05:32:57 +07:00
zxcvbn:
enabled: false
2022-04-15 16:30:51 +07:00
min_score: 3
2022-04-03 05:32:57 +07:00
```
## Options
### standard
< div markdown = "1" >
type: list
2022-04-03 18:58:27 +07:00
{: .label .label-config .label-purple }
2022-04-03 05:32:57 +07:00
required: no
{: .label .label-config .label-green }
< / div >
2022-04-03 07:48:26 +07:00
This section allows you to enable standard security policies.
#### enabled
< div markdown = "1" >
2022-04-15 16:30:51 +07:00
type: boolean
2022-04-03 18:58:27 +07:00
{: .label .label-config .label-purple }
2022-04-15 16:30:51 +07:00
default: false
{: .label .label-config .label-blue }
2022-04-03 05:32:57 +07:00
required: no
{: .label .label-config .label-green }
< / div >
2022-04-03 07:48:26 +07:00
Enables standard password policy.
#### min_length
< div markdown = "1" >
2022-04-03 05:32:57 +07:00
type: integer
2022-04-03 18:58:27 +07:00
{: .label .label-config .label-purple }
default: 8
{: .label .label-config .label-blue }
2022-04-03 05:32:57 +07:00
required: no
{: .label .label-config .label-green }
< / div >
2022-04-03 07:48:26 +07:00
Determines the minimum allowed password length.
#### max_length
< div markdown = "1" >
2022-04-03 05:32:57 +07:00
type: integer
2022-04-03 18:58:27 +07:00
{: .label .label-config .label-purple }
default: 0
{: .label .label-config .label-blue }
2022-04-03 05:32:57 +07:00
required: no
{: .label .label-config .label-green }
< / div >
2022-04-03 07:48:26 +07:00
Determines the maximum allowed password length.
#### require_uppercase
< div markdown = "1" >
2022-04-15 16:30:51 +07:00
type: boolean
2022-04-03 18:58:27 +07:00
{: .label .label-config .label-purple }
2022-04-15 16:30:51 +07:00
default: false
{: .label .label-config .label-blue }
2022-04-03 05:32:57 +07:00
required: no
{: .label .label-config .label-green }
< / div >
2022-04-03 07:48:26 +07:00
Indicates that at least one UPPERCASE letter must be provided as part of the password.
#### require_lowercase
< div markdown = "1" >
2022-04-15 16:30:51 +07:00
type: boolean
2022-04-03 18:58:27 +07:00
{: .label .label-config .label-purple }
2022-04-15 16:30:51 +07:00
default: false
{: .label .label-config .label-blue }
2022-04-03 05:32:57 +07:00
required: no
{: .label .label-config .label-green }
< / div >
2022-04-03 07:48:26 +07:00
Indicates that at least one lowercase letter must be provided as part of the password.
#### require_number
< div markdown = "1" >
2022-04-15 16:30:51 +07:00
type: boolean
2022-04-03 18:58:27 +07:00
{: .label .label-config .label-purple }
2022-04-15 16:30:51 +07:00
default: false
{: .label .label-config .label-blue }
2022-04-03 05:32:57 +07:00
required: no
{: .label .label-config .label-green }
< / div >
2022-04-03 07:48:26 +07:00
Indicates that at least one number must be provided as part of the password.
#### require_special
< div markdown = "1" >
2022-04-15 16:30:51 +07:00
type: boolean
2022-04-03 18:58:27 +07:00
{: .label .label-config .label-purple }
2022-04-15 16:30:51 +07:00
default: false
{: .label .label-config .label-blue }
2022-04-03 05:32:57 +07:00
required: no
{: .label .label-config .label-green }
< / div >
2022-04-03 07:48:26 +07:00
Indicates that at least one special character must be provided as part of the password.
2022-04-03 05:32:57 +07:00
### zxcvbn
2022-04-03 07:48:26 +07:00
This password policy enables advanced password strength metering, using [zxcvbn ](https://github.com/dropbox/zxcvbn ).
2022-04-03 05:32:57 +07:00
2022-04-03 07:48:26 +07:00
#### enabled
< div markdown = "1" >
2022-04-15 16:30:51 +07:00
type: boolean
2022-04-03 18:58:27 +07:00
{: .label .label-config .label-purple }
2022-04-15 16:30:51 +07:00
default: false
{: .label .label-config .label-blue }
2022-04-03 05:32:57 +07:00
required: no
{: .label .label-config .label-green }
< / div >
2022-04-03 07:48:26 +07:00
_**Important Note:** only one password policy can be applied at a time._
Enables zxcvbn password policy.
2022-04-15 16:30:51 +07:00
#### min_score
< div markdown = "1" >
type: integer
{: .label .label-config .label-purple }
default: 3
{: .label .label-config .label-blue }
required: no
{: .label .label-config .label-green }
< / div >
Configures the minimum zxcvbn score allowed for new passwords. There are 5 levels in the zxcvbn score system (taken from [github.com/dropbox/zxcvbn ](https://github.com/dropbox/zxcvbn#usage )):
- score 0: too guessable: risky password (guesses < 10 ^ 3 )
- score 1: very guessable: protection from throttled online attacks (guesses < 10 ^ 6 )
- score 2: somewhat guessable: protection from unthrottled online attacks. (guesses < 10 ^ 8 )
- score 3: safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10 ^ 10 )
- score 4: very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)
2022-04-03 07:48:26 +07:00
2022-04-15 16:30:51 +07:00
We do not allow score 0, if you set the `min_score` value to 0 instead the default will be chosen.