About password policies | Okta (2024)

Password policies enable admins to enforce password settings at the group and authentication-provider level. Okta provides a default policy to enforce the use of strong passwords to better protect your organization's assets. You can create policies that are less or more restrictive and apply them to users based on group membership.

Group Password Policy is now enabled for all orgs:

  • The Password tab on the Authentication page displays all group password policies. Initially, only the Default Policy and the Default Rule appear.
  • If Group Password Policy was previously not enabled, the Password tab now displays the Legacy Policy and the new Default Policy. The Legacy Policy reflects the org settings present when Group Password Policy was enabled and includes the Legacy Rule and the additional Default Rule.

  • The default rule can't be edited.

  • The Password Expired count for users on the People page isn't displayed when Group Password Policy is enabled. See Expire all user passwords.

Use a group password policy

With group password policies, you can:

  • Define password policies and associated rules to enforce password settings on the group and authentication-provider level.
  • Create multiple policies with more or less restrictive rules and apply them to different groups.
  • Use policies to enforce the use of strong passwords to better protect your organization's assets.

An error can occur during provisioning when a user's Okta password meets the password policies requirements while the password policy itself doesn't. Ensure that the Okta password policy meets the application's requirements, typically, eight characters or more, with an upper and lower case character and either a symbol or number.

Active Directory (AD) and LDAP-sourced users

Group Password Policies are enforced only for Okta and Active Directory (AD) and LDAP-sourced users.

  • For AD and LDAP-sourced users, ensure that your AD and LDAP password policies don't conflict with Okta policies. The directory service manages passwords for AD and LDAP-sourced users. Some applications, such as Microsoft Office 365 and Google G Suite, check an Okta password policy when provisioning a user to ensure that the Okta policy meets the application's password requirements.
  • Previous Group Password Policy options aren't retained after the LDAP Group Password Policy feature is disabled.
  • When the LDAP Group Password Policy is enabled, a custom password policy message can't be used and previous password policy messages aren't applied.
  • When LDAP delegated authentication is disabled, the LDAP Group Password Policy no longer applies to LDAP-sourced users.

The default password policy is applied when a user is created. Group assignment on password policy isn't evaluated when a user is created.

Password Policy evaluation

A password policy is evaluated using the following criteria:

  • Complex requirements are evaluated when the password is set.
  • On the current policy and when the user last set their password, unless the user's password is expired, in which case it remains expired.
  • For AD and LDAP-sourced users, the AD and LDAP complexity requirements should match the AD and LDAP instances.

Ensure that all AD and LDAP password policies don't conflict with policies.

Password Policy types

There are four types of password policies:

Default policy

All Okta-sourced users are subject to the Default Policy unless another policy applies. The Default Policy can't be deactivated or deleted, and always holds the lowest ranking within the policy list.

Legacy Policy

In previous versions of the platform, password policy settings were on the SecurityGeneral page. For orgs that were created before Group Password Policy was enabled, the Legacy policy and associated Legacy rules are preserved. Existing password policy settings for an org are copied to the Legacy Policy. All Legacy policy and rule settings are configurable.

Active Directory Policy

If you currently have one or more Active Directory (AD) integrations, an AD policy is automatically created for you. You can customize the elements of the policy and its rules.

LDAP Policy

If you currently have one or more LDAP integrations, an LDAP policy is automatically created for you. You can customize the elements of the policy and its rules

Password complexity requirements

Complex passwords increase the security of your users' accounts. When configuring password complexity requirement, consider the following information:

  • For AD-sourced users, AD sets and enforces these requirements. Okta settings don't trigger enforcement. Therefore, ensure that these settings duplicate the minimum settings of AD.
  • For LDAP-sourced users, LDAP sets and enforces these requirements. Okta settings don't trigger enforcement. Therefore, ensure that these settings duplicate the minimum settings of LDAP.
  • For non-AD and LDAP-sourced users:

    Does not contain part of username: this requirement rejects any password that contains parts of the login ID based on the delimiters (., ,, -, _, #, and @). For example, if the login ID is john.smith@okta.com, selecting this option rejects any password that contains john, smith, or okta.

  • For non AD and LDAP-sourced users, selecting Does not contain first name or Does not contain last name excludes the user's first name or last name in their entirety. Checking both options ensures that a password can't contain the user's first or last name. These options aren't case-sensitive and only apply to names that are at least three characters long.

Related topics

Configure a password policy

MFA enrollment policies

Okta sign-on policies

App sign-on policies

Configure an Okta sign-on policy

Configure an MFA enrollment policy

Configure an app sign-on policy

About password policies | Okta (2024)


What is the password policy? ›

A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training.

What is the standard for password policy? ›

Require strong, unique passwords.

Strong passwords are: Long—at least 16 characters long (even longer is better). Random—like a string of mixed-case letters, numbers and symbols (the strongest!) or a passphrase of 5 –7 random words. Unique—used for one and only one account.

What is one problem with password policies? ›

Password policies fail to solve the wider problems of user authentication. Even in the unlikely event that a policy is strong, up-to-date, and adhered to by all members of staff, password policies ultimately fail to solve the inherent weaknesses of credentials as an authentication mechanism.

What is an example of a good password policy? ›

Create strong passwords

At least 12 characters long but 14 or more is better. A combination of uppercase letters, lowercase letters, numbers, and symbols. Not a word that can be found in a dictionary or the name of a person, character, product, or organization. Significantly different from your previous passwords.

What is the best policy to use for your password? ›

7 Best Practices for Your Password Policy
  1. Leverage Password Managers. ...
  2. Require Multi-Factor Authentication. ...
  3. Keep All Passwords Unique. ...
  4. Keep All Passwords Random. ...
  5. Conduct Password Audits. ...
  6. Restrict Where Passwords Are Entered. ...
  7. Don't Change Them Too Often.

Why do companies use password policies? ›

By implementing a strong password policy, your business can make it more difficult for cyber criminals to gain access to its confidential data. Password policies help protect users from themselves by requiring them to create strong passwords and change them regularly.

What is password policy according to NIST? ›

What are the password rules for NIST? According to the password rules of NIST, user-generated passwords should be at least 8 characters, while machine-generated passwords can get away with 6 characters in length.

Which three password policies should an administrator configure? ›

Here are some of the password policies and best practices that every system administrator should implement:
  • Enforce Password History policy. ...
  • Minimum Password Age policy. ...
  • Maximum Password Age policy. ...
  • Minimum Password Length policy. ...
  • Passwords Must Meet Complexity Requirements policy. ...
  • Reset Password. ...
  • Password Audit policy.
Feb 8, 2018

How often should passwords be changed? ›

But how often should you create new passwords? Cybersecurity experts recommend changing your password every three months. There may even be situations where you should change your password immediately, especially if a cybercriminal has access to your account.

What are the disadvantages of a strong password policy? ›

The possible disadvantages of a strict password policy are that users will not adhere to the policy and become locked out. They will become frustrated with the keeping up with multiple complex passwords. They will store the password in using an insecure method or attempt to circumvent the entire process.

Are password change policies bad? ›

Forcing people to change their passwords routinely may lull them into bad habits. Many users simply adopt a predictable mechanism, such as adding -01, -02, -03 and so on to satisfy the letter (but not the spirit) of your password replacement rules. Attackers can figure out that sort of behaviour.

What is the most common password mistake? ›

Here is a list of the most common mistakes made when creating passwords:
  • Using less than 10 characters - secure passwords should contain 12-16 characters.
  • Putting numbers at the end of your password instead of throughout your password.
  • Using pop culture references like "maytheforcebewithyou" or "sk8erboy"

What is password policy requirements? ›

A password policy sets the rules that passwords for a service must meet, such as length and type of characters allowed and disallowed. Additionally, the password policy might specify that an entry is disallowed if the term is in a dictionary of unwanted terms.

What is not a best practice for password policy? ›

What is not a best practice for password policy? a) Deciding maximum age of password b) Restriction on password reuse and history c) Password encryption d) Having change password every 2 years View Answer Answer: d Explanation: Old passwords are more vulnerable to being misplaced or compromised.

What is the 8 4 rule for password states? ›

Rule 2 – Password Complexity: Your password should contain at least one character from each of the following groups. This is often called the “8 4 Rule” (Eight Four Rule): 8 = 8 characters minimum length. 4 = 1 lower case + 1 upper case + 1 number + 1 special character.

How can I see my password policy? ›

To get there, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.

What is the password policy for 21 CFR Part 11? ›

This means that passwords should not contain any personal data such as a name, date of birth, or address. Passwords should also be a minimum of 8 letters and/or numbers, with one capital letter, one lower case letter, and at least one special character.

Top Articles
Latest Posts
Article information

Author: Foster Heidenreich CPA

Last Updated:

Views: 6027

Rating: 4.6 / 5 (56 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Foster Heidenreich CPA

Birthday: 1995-01-14

Address: 55021 Usha Garden, North Larisa, DE 19209

Phone: +6812240846623

Job: Corporate Healthcare Strategist

Hobby: Singing, Listening to music, Rafting, LARPing, Gardening, Quilting, Rappelling

Introduction: My name is Foster Heidenreich CPA, I am a delightful, quaint, glorious, quaint, faithful, enchanting, fine person who loves writing and wants to share my knowledge and understanding with you.