This is so the zxcvbn ppolicy is checked on the server.
3.8 KiB
layout | title | parent | nav_order |
---|---|---|---|
default | Password Policy | Configuration | 17 |
Password Policy
Authelia allows administrators to configure an enforced password policy.
Configuration
password_policy:
standard:
enabled: false
min_length: 8
max_length: 0
require_uppercase: false
require_lowercase: false
require_number: false
require_special: false
zxcvbn:
enabled: false
min_score: 3
Options
standard
This section allows you to enable standard security policies.
enabled
Enables standard password policy.
min_length
Determines the minimum allowed password length.
max_length
Determines the maximum allowed password length.
require_uppercase
Indicates that at least one UPPERCASE letter must be provided as part of the password.
require_lowercase
Indicates that at least one lowercase letter must be provided as part of the password.
require_number
Indicates that at least one number must be provided as part of the password.
require_special
Indicates that at least one special character must be provided as part of the password.
zxcvbn
This password policy enables advanced password strength metering, using zxcvbn.
enabled
Important Note: only one password policy can be applied at a time.
Enables zxcvbn password policy.
min_score
Configures the minimum zxcvbn score allowed for new passwords. There are 5 levels in the zxcvbn score system (taken from github.com/dropbox/zxcvbn):
- score 0: too guessable: risky password (guesses < 10^3)
- score 1: very guessable: protection from throttled online attacks (guesses < 10^6)
- score 2: somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)
- score 3: safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
- score 4: very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)
We do not allow score 0, if you set the min_score
value to 0 instead the default will be chosen.