Password Policy
Authelia allows administrators to configure an enforced password policy.
Configuration
password_policy:
standard:
enabled: false
min_length: 8
max_length: 0
require_uppercase: false
require_lowercase: false
require_number: false
require_special: false
zxcvbn:
enabled: false
min_score: 3
Options
standard
type: list
required: no
This section allows you to enable standard security policies.
enabled
type: boolean
default: false
required: no
Enables standard password policy.
min_length
type: integer
default: 8
required: no
Determines the minimum allowed password length.
max_length
type: integer
default: 0
required: no
Determines the maximum allowed password length.
require_uppercase
type: boolean
default: false
required: no
Indicates that at least one UPPERCASE letter must be provided as part of the password.
require_lowercase
type: boolean
default: false
required: no
Indicates that at least one lowercase letter must be provided as part of the password.
require_number
type: boolean
default: false
required: no
Indicates that at least one number must be provided as part of the password.
require_special
type: boolean
default: false
required: no
Indicates that at least one special character must be provided as part of the password.
zxcvbn
This password policy enables advanced password strength metering, using zxcvbn.
enabled
type: boolean
default: false
required: no
Important Note: only one password policy can be applied at a time.
Enables zxcvbn password policy.
min_score
type: integer
default: 3
required: no
Configures the minimum zxcvbn score allowed for new passwords. There are 5 levels in the zxcvbn score system (taken from github.com/dropbox/zxcvbn):
- score 0: too guessable: risky password (guesses < 10^3)
- score 1: very guessable: protection from throttled online attacks (guesses < 10^6)
- score 2: somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)
- score 3: safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
- score 4: very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)
We do not allow score 0, if you set the min_score
value to 0 instead the default will be chosen.