Password Policy
Use a Password policy when you want to validate a password entered in a prompt stage.
This policy is most often attached to a Prompt stage through that stage's Validation Policies.
What it can enforce
A Password policy can enforce:
- minimum length
- minimum counts for uppercase, lowercase, digits, and symbols
- a custom symbol set
- Have I Been Pwned exposure checks
- zxcvbn strength checks
The policy reads the configured password field from prompt data, so the field key in the policy must match the password field used by your prompt stage.
By default, authentik's Password policy aligns with NIST password guidance. Be careful when tightening or weakening those defaults. For broader guidance, see Hardening authentik.
Have I Been Pwned checks
When the HIBP check is enabled, authentik compares the password hash against the Have I Been Pwned password database.
Only the first 5 characters of the SHA-1 hash are sent to the API. The remaining comparison is done in authentik.
zxcvbn checks
When the zxcvbn check is enabled, authentik evaluates password strength and can reject passwords that are still weak even if they satisfy simple character-count rules.
Create a Password policy
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Customization > Policies.
- Click Create and select Password Policy.
- Configure the password field and validation rules you want to enforce.
- Click Finish.
Attach it to password entry
In most cases, bind the policy to the prompt stage where the user enters a new password.
This is commonly used in:
- enrollment flows
- password reset flows
- password change flows
If you also want to prevent password reuse, combine this policy with Password Uniqueness Policy.