Password Policy

Authelia allows administrators to configure an enforced password policy.

Configuration

password_policy:
  standard:
    enabled: false
    min_length: 8
    max_length: 0
    require_uppercase: false
    require_lowercase: false
    require_number: false
    require_special: false
  zxcvbn:
    enabled: false
    min_score: 3

Options

standard

This section allows you to enable standard security policies.

enabled

Enables standard password policy.

min_length

Determines the minimum allowed password length.

max_length

Determines the maximum allowed password length.

require_uppercase

Indicates that at least one UPPERCASE letter must be provided as part of the password.

require_lowercase

Indicates that at least one lowercase letter must be provided as part of the password.

require_number

Indicates that at least one number must be provided as part of the password.

require_special

Indicates that at least one special character must be provided as part of the password.

zxcvbn

This password policy enables advanced password strength metering, using zxcvbn.

enabled

Important Note: only one password policy can be applied at a time.

Enables zxcvbn password policy.

min_score

Configures the minimum zxcvbn score allowed for new passwords. There are 5 levels in the zxcvbn score system (taken from github.com/dropbox/zxcvbn):

• score 0: too guessable: risky password (guesses < 10^3)
• score 1: very guessable: protection from throttled online attacks (guesses < 10^6)
• score 2: somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)
• score 3: safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
• score 4: very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)

We do not allow score 0, if you set the min_score value to 0 instead the default will be chosen.