Password Policy
The password policy controls what makes a valid password in your workspace. It applies to all new passwords — set during registration, password change, or password reset.
When the policy applies
The policy is enforced at the point of password creation or change. It applies when:
- A new user sets their password during workspace signup
- A user changes their own password
- A user resets their password via the "Forgot password?" flow
- An admin sets a new password for a user
Policy changes do not immediately affect existing passwords When you tighten the policy (increase minimum length or add a character requirement), existing users are not forced to change their passwords immediately. The new rules apply the next time each user sets a new password. If immediate enforcement is required, prompt users to change their passwords or reset them manually via Admin → Users.
Settings reference
Password policy settings are on the Internal tab under Admin → Authentication, in the Password Policy section.
| Setting | Default | Constraint | What it does |
|---|---|---|---|
| Minimum length | 12 | Min 12, max 64 | The minimum number of characters a password must contain. Cannot be set below 12. |
| Require lowercase (a–z) | On | — | Password must contain at least one lowercase letter. |
| Require uppercase (A–Z) | On | — | Password must contain at least one uppercase letter. |
| Require number (0–9) | On | — | Password must contain at least one digit. |
| Require special character | On | — | Password must contain at least one non-alphanumeric character (e.g., !, @, #). |
Validation rules on save
The system enforces two rules when you save the password policy:
- Minimum length floor: The value cannot be set below 12. If you enter a lower number, the save is rejected with an error.
- Minimum two character categories: At least two of the four character type requirements (lowercase, uppercase, number, special) must remain enabled. Disabling all four — or leaving only one — is not permitted.
"Does changing the policy force existing users to reset their passwords?" No. Existing passwords are not invalidated when you change the policy. The new requirements apply only the next time a user creates or changes their password. If you need immediate enforcement, you can manually trigger a password reset for affected users via Admin → Users → All Users.