authelia/docs/configuration/password_policy.md
James Elliott 92aba8eb0b
feat(server): zxcvbn password policy server side (#3151)
This is so the zxcvbn ppolicy is checked on the server.
2022-04-15 19:30:51 +10:00

3.8 KiB

layout title parent nav_order
default Password Policy Configuration 17

Password Policy

Authelia allows administrators to configure an enforced password policy.

Configuration

password_policy:
  standard:
    enabled: false
    min_length: 8
    max_length: 0
    require_uppercase: false
    require_lowercase: false
    require_number: false
    require_special: false
  zxcvbn:
    enabled: false
    min_score: 3

Options

standard

type: list {: .label .label-config .label-purple } required: no {: .label .label-config .label-green }

This section allows you to enable standard security policies.

enabled

type: boolean {: .label .label-config .label-purple } default: false {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Enables standard password policy.

min_length

type: integer {: .label .label-config .label-purple } default: 8 {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Determines the minimum allowed password length.

max_length

type: integer {: .label .label-config .label-purple } default: 0 {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Determines the maximum allowed password length.

require_uppercase

type: boolean {: .label .label-config .label-purple } default: false {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Indicates that at least one UPPERCASE letter must be provided as part of the password.

require_lowercase

type: boolean {: .label .label-config .label-purple } default: false {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Indicates that at least one lowercase letter must be provided as part of the password.

require_number

type: boolean {: .label .label-config .label-purple } default: false {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Indicates that at least one number must be provided as part of the password.

require_special

type: boolean {: .label .label-config .label-purple } default: false {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Indicates that at least one special character must be provided as part of the password.

zxcvbn

This password policy enables advanced password strength metering, using zxcvbn.

enabled

type: boolean {: .label .label-config .label-purple } default: false {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Important Note: only one password policy can be applied at a time.

Enables zxcvbn password policy.

min_score

type: integer {: .label .label-config .label-purple } default: 3 {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Configures the minimum zxcvbn score allowed for new passwords. There are 5 levels in the zxcvbn score system (taken from github.com/dropbox/zxcvbn):

  • score 0: too guessable: risky password (guesses < 10^3)
  • score 1: very guessable: protection from throttled online attacks (guesses < 10^6)
  • score 2: somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)
  • score 3: safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
  • score 4: very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)

We do not allow score 0, if you set the min_score value to 0 instead the default will be chosen.