| description |
|---|
Setting format and strength requirements for passwords |
Authgear allows you to set a password policy for your project. This page walks through setting password requirements, password strength, keywords to exclude, and password expiry from the Authgear Portal.
You can configure your password policy in password settings.
Choose a minimum character length, and use the checkboxes provided to include one or more requirements for a valid password.
To ensure your updated password policy applies to both existing and new users, toggle on "Force password change on next login". All users will be required to update their passwords if their current passwords do not meet the newly configured policy.
Password strength is simply a measure of how difficult it is to guess or crack a password.
Authgear currently uses the zxcvbn password strength estimator library, which goes beyond basic requirements (like length or character variety) and uses pattern matching to recognize common insecure passwords.
How password strength is calculated in Authgear
A password is scored for how uncommon and guessable it is using the zxcvbn algorithm.
The following table shows the scores for the various minimum password strength levels in Authgear.
| Password Strength Level | Score | Description |
|---|---|---|
| N/A | - | Totally ignore the Advance password strength score and use the Basic password policy. E.g. Minimum password length. |
| Extremely guessable | 0 | Too guessable: risky password. (guesses < 10^3) |
| Very guessable | 1 | Very guessable: protection from throttled online attacks. (guesses < 10^6) |
| Fair | 2 | Somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8) |
| Very unguessable | 3 | Safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10) |
| Extremely unguessable | 4 | Very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10) |
Scroll down to the Advanced sub-section of the Password tab, then click select your preferred option from the Min. password strength level dropdown.
Toggle on Prevent Password Reuse to ensure a new, unique password is set during password changes.
In the following example, the new password cannot match any password used within the 90 days, or any last 3 previously used passwords.
You can also disallow specific keywords in the user's password. Simply add them to the "Keywords to be excluded" field, and the admin or user will not be able to set a password containing the listed keywords.
Once you're done, remember to hit Save to keep your changes.