Fork me on GitHub Link Search Menu Expand Document Survey contribution
Help the team improve Authelia by taking this 10-second survey.

Password Policy

Authelia allows administrators to configure an enforced password policy.

Configuration

password_policy:
  standard:
    enabled: false
    min_length: 8
    max_length: 0
    require_uppercase: false
    require_lowercase: false
    require_number: false
    require_special: false
  zxcvbn:
    enabled: false
    min_score: 3

Options

standard

type: list

required: no

This section allows you to enable standard security policies.

enabled

type: boolean

default: false

required: no

Enables standard password policy.

min_length

type: integer

default: 8

required: no

Determines the minimum allowed password length.

max_length

type: integer

default: 0

required: no

Determines the maximum allowed password length.

require_uppercase

type: boolean

default: false

required: no

Indicates that at least one UPPERCASE letter must be provided as part of the password.

require_lowercase

type: boolean

default: false

required: no

Indicates that at least one lowercase letter must be provided as part of the password.

require_number

type: boolean

default: false

required: no

Indicates that at least one number must be provided as part of the password.

require_special

type: boolean

default: false

required: no

Indicates that at least one special character must be provided as part of the password.

zxcvbn

This password policy enables advanced password strength metering, using zxcvbn.

enabled

type: boolean

default: false

required: no

Important Note: only one password policy can be applied at a time.

Enables zxcvbn password policy.

min_score

type: integer

default: 3

required: no

Configures the minimum zxcvbn score allowed for new passwords. There are 5 levels in the zxcvbn score system (taken from github.com/dropbox/zxcvbn):

  • score 0: too guessable: risky password (guesses < 10^3)
  • score 1: very guessable: protection from throttled online attacks (guesses < 10^6)
  • score 2: somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)
  • score 3: safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
  • score 4: very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)

We do not allow score 0, if you set the min_score value to 0 instead the default will be chosen.