Skip to main content

Password policy

You can select between three different password policies for the passwords of your users. The Standard and Strong password policies are available out-of-the-box and have a predefined set of policy parameters. If you want different policy parameters to meet the needs of your company, you can select the Custom password policy and configure your own policy parameters. Each of these policies is described in detail in the following sections.

Password policies are applied at the time when a user creates a password. For existing passwords, a change in policy comes into effect when users change their passwords.


The password policy is applicable only for login with Password. For social login, the responsibility of setting a password policy stays with the social identity provider.

Policy parameters

Each policy is defined by the following parameters.

Character complexity

Character complexity refers to the different types of characters a user has to include in a password. The more complex the password, the harder the attacker's job is to find a match. The Strong policy requires the use of at least one special character.

Password length

Passwords shorter than 8 characters are highly unsafe. On the other hand, a maximum length needs to be set to prevent long password Denial of Service attacks. Identity Cloud enforces a minimum password length of 8 characters and gives you the option to set a maximum password length between 8 and 256 characters.

Password history

If Password history is enabled, you can prohibit the user from re-using passwords from the last n weeks. n can have a value between 1 and 26 weeks. This gives you an advantage in preventing attacks where breached passwords are used.

Whenever a user changes their password, the system compares this new password with previous passwords of the user in the given time period. If at lease one match on this list is found, the user needs to create a different password.

Character repetition

Character repetition refers to the maximum length of identical characters in a row. The restriction of repeated characters prevents users from setting easy-to-guess passwords.

If Character repetition is enabled, repeating two characters is allowed, but three characters is prohibited.

Personal information

Re-use of personal information in the password is as dangerous as re-using known passwords.

Some algorithms are built to match re-used usernames with numbers and special characters, which makes finding out the passwords much easier.

If Personal information is enabled, Identity Cloud checks passwords against the username of the current user.

Standard policy

With Standard, you have a password policy configuration on an industry standard level.

We set up Standard in a way that it protects your users against attacks, while containing well-known password setup rules.

Standard password policy

Strong policy

You can increase password strength and security more if you choose the Strong configuration option.

This option may slightly increase friction for your users as it requires longer and more complex passwords.

Strong password policy

Custom policy

With a Custom password policy, you can configure password requirements for your users in the following dimensions:

  • Character complexity to decide whether special characters are required
  • Password length to set minimum length between 8 and 256 characters
  • Password history to prevent the use of passwords used previously
  • Character repetition to prevent simple character patterns
  • Personal information to prevent the use of the username as password
Standard password policy

This is how the password policy looks in action:

Password setup