Configuring your applications requires you to find a balance between security and user comfort.
The password policy is applicable only for login with Password. For social login, the responsibility of setting a good password policy stays with the social identity provider.
With Standard, you have a password policy configuration on an industry standard level.
We set up Standard in a way that it protects your users against attacks, while containing well-known password setup rules.
You can increase password strength and security even more if you choose the Strong configuration option.
This option may slightly increase friction for your users. Strong is the other end of the scale, but it still aims at providing a fair user experience.
This is how the password policy looks in action:
Character complexity refers to the different types of characters a user has to include in a password. The more complex the password, the harder the attacker's job is to find a match.
Standard strength and High strength options differ only in the use of special characters.
Passwords shorter than 8 characters are below industry standard. Identity Cloud gives you the option to set a minimum password length stronger than this.
On the other hand, a maximum length needs to be set to prevent long password Denial of Service attacks.
If the maximum password length is too low, users may not be able to use automatically generated passphrases.
If Password history is enabled, you can prohibit the user from re-using passwords from the last
This gives you an advantage in preventing attacks where breached passwords are used.
Whenever a user changes their password, the system compares this new password with previous passwords of the user in the given time period. If at lease one match on this list is found, the user needs to choose a new password.
Character repetition refers to the maximum length of identical characters in a row. The restriction of repeated characters prevents users from setting easy-to-guess passwords.
If Character repetition is enabled, repeating two characters is allowed, but three characters is prohibited.
Re-use of personal information in the password is as dangerous as re-using known passwords.
Some algorithms are built to match re-used usernames with numbers and special characters, which makes finding out the passwords much easier.
If Password dictionary is enabled, Identity Cloud checks passwords against the username of the current user.
To avoid user friction, there is no default password expiration time.
Was this page helpful?