Password policy
You can select between three different password policies for the passwords of your users. The Standard and Strong password policies are available out-of-the-box and have a predefined set of policy parameters. If you want different policy parameters to meet the needs of your company, you can select the Custom password policy and configure your own policy parameters. Each of these policies is described in detail in the following sections.
Password policies are applied at the time when a user creates a password. For existing passwords, a change in policy comes into effect when users change their passwords.
The password policy is applicable only for login with Password. For social login, the responsibility of setting a password policy stays with the social identity provider.
Policy parameters
Each policy is defined by the following parameters.
Character complexity
Character complexity refers to the different types of characters a user has to include in a password. The more complex the password, the harder the attacker's job is to find a match. The Strong policy requires the use of at least one special character.
Password length
Passwords shorter than 8 characters are highly unsafe. On the other hand, a maximum length needs to be set to prevent long password Denial of Service attacks. Identity Cloud enforces a minimum password length of 8 characters and gives you the option to set a maximum password length between 8 and 256 characters.
Password history
If Password history is enabled, you can prohibit the user from re-using passwords from the last n
weeks. n
can have a value between 1 and 26 weeks. This gives you an advantage in preventing attacks where breached passwords are used.
Whenever a user changes their password, the system compares this new password with previous passwords of the user in the given time period. If at lease one match on this list is found, the user needs to create a different password.
Character repetition
Character repetition refers to the maximum length of identical characters in a row. The restriction of repeated characters prevents users from setting easy-to-guess passwords.
If Character repetition is enabled, repeating two characters is allowed, but three characters is prohibited.
Personal information
Re-use of personal information in the password is as dangerous as re-using known passwords.
Some algorithms are built to match re-used usernames with numbers and special characters, which makes finding out the passwords much easier.
If Personal information is enabled, Identity Cloud checks passwords against the username of the current user.
Standard policy
With Standard, you have a password policy configuration on an industry standard level.
We set up Standard in a way that it protects your users against attacks, while containing well-known password setup rules.

Strong policy
You can increase password strength and security more if you choose the Strong configuration option.
This option may slightly increase friction for your users as it requires longer and more complex passwords.

Custom policy
With a Custom password policy, you can configure password requirements for your users in the following dimensions:
- Character complexity to decide whether special characters are required
- Password length to set minimum length between 8 and 256 characters
- Password history to prevent the use of passwords used previously
- Character repetition to prevent simple character patterns
- Personal information to prevent the use of the
username
as password

This is how the password policy looks in action:
