Skip to main content

Password policy

Logto applies the password policy in different ways depending on how the password is created or updated:

Set up password policy

For new users or users who are updating their password, you can set a password policy to enforce password strength requirements. Visit the Console > Security > Password policy to configure the password policy settings.

  1. Minimum password length: Set the minimum number of characters required for the password. (NIST suggests using at least 8 characters)
  2. Minimum required character types: Set the minimum number of character types required for the password. The available character types are:
    1. Uppercase letters: (A-Z)
    2. Lowercase letters: (a-z)
    3. Numbers: (0-9)
    4. Special characters: (!"#$%&'()\*+,-./:;<>=?@[]^\_`|{}~ )
  3. Breach history check: Enable this setting to reject passwords that have been previously exposed in data breaches. (Powered by Have I Been Pwned)
  4. Repetition check: Enable this setting to reject passwords that contain repetitive characters. (e.g., "11111111" or "password123")
  5. User information check: Enable this setting to reject passwords that contain user information such as username, email address, or phone number.
  6. Custom words: Provide a list of custom words (case-insensitive) that you want to reject in the password.

Password compliance check

After you update the password policy in Logto, existing users can still sign in with their current passwords. Only newly created account will be required to follow the updated policy.

To enforce stronger security, you can use the POST /api/sign-in-exp/default/check-password API to check whether a user's password meets the current policy defined in the default sign-in experience. If it doesn't, you can prompt the user to update their password with a custom flow using Account API.

Manage users Sign-up and sign-in Account settings by Account API Design your password policy