Skip to content

Password validation

WSO2 Identity Server provides several password validation mechanisms to ensure user passwords meet the required complexity standards and are regularly updated to maintain security. This guide walks you through enabling and configuring these options for your organization.

Configure password validation

You can find the password configuration options by following the steps below.

  1. On the WSO2 Identity Server Console, navigate to Login & Registration.

  2. Under Login Security, select Password Validation.

  3. On the Password Validation page, you can configure the following options:

    • Rule-based password expiration: Passwords expire based on the rules you define for users' groups and roles. If users with expired passwords log in, they get redirected to the password reset screen.

      Reset Password

    • Password history count: Specify how often users can reuse old passwords. When resetting a password, if a user chooses a previously used password (within the stored history), the password reset fails with the following error:

      Try out password history

    • Password input validation: Set requirements for password complexity by defining its length constraints and required character types. When a user creates/resets a password, if it does not meet the complexity requirements, the validation checks fail as follows.

      Try out password input validation

  4. Click Update to save the changes.

Password validation options

The following are the password validation options available for your organization.

Rule-Based password expiration

Rule-based password expiration allows administrators to set custom password expiration rules based on the user's groups and roles. The higher a rule appears on the list, the greater its priority. Rules are evaluated based on their priorities and the first rule that matches the user's condition will take effect.

To configure rule-based password expiration,

  1. Turn the Password Expiration toggle on to enable password expiration.

  2. Set a default password expiry rule that applies to any user that does not meet the custom criteria.

  3. Click Add Rule and start defining custom rules. Each subsequent rule you add will be added to the top of the list. You may use the arrows on the left to change their priorities.

    Rule-Based Password Expiration

Refer to the following table for more information on rule parameters.

Parameter Description
Attribute User attribute against which you are enforcing password expiry. Select either Groups or Roles.
Values Select the specific group/role. You may also select multiple values thus making the rule act as an AND operator, and is enforced only on users belonging to all selected groups/roles.
Operator
  • Apply: Password expiry will be enforced for users who meet the rule criteria.
  • Skip: Password expiry will not be enforced for users who meet the rule criteria.
Expiration (days) Passwords of users meeting the criteria expire after this number of days.

Password history count

The Password History Count feature allows you to specify the number of unique new passwords a user must use before an old password can be reused. This enhances account security by preventing the reuse of old passwords.

Password History Count

To enable this, select the corresponding checkbox and configure the following option.

Parameter Description
Password History Count [Optional] The number of unique passwords that must be set before reusing an old password.
Example: If set to 3, the user cannot reuse the last three passwords they have set.

Password input validation

The Password Input Validation feature enables you to set password complexity requirements which include minimum password length and required character types.

Password Input Validation

Configure the following parameters to enforce input validation.

Parameter Description
Number of characters You can add the minimum and maximum length of the password users should use.
Mandatory characters By default, a user password should contain at least one of the following characters.
  • Numbers
  • Upper-case characters
  • Lower-case characters
  • Special characters
Number of unique characters [Optional] This field identifies the number of unique (non-repeated) characters the password should contain.
Number of repeated characters [Optional] This field identifies the number of characters that can be repeated consecutively in a user password.
Example: If you assign 1 as the number of repeated characters, the password cannot contain any repeated characters consecutively.
The password aa1@Znlq is incorrect as it has the character a appearing consecutively.

Validation for whitespace in passwords

WSO2 Identity Server automatically trims leading and trailing whitespace from passwords when creating, updating, or entering passwords to login.