Password policies

Password policies enable admins to enforce password settings at the group and authentication-provider level. Okta provides a default policy to enforce the use of strong passwords to better protect your organization's assets. You can create policies that are less or more restrictive and apply them to users based on group membership.

Group Password Policy is now enabled for all orgs:

The Password tab on the Authentication page displays all group password policies. Initially, only the Default Policy and the Default Rule appear.
If Group Password Policy was previously not enabled, the Password tab now displays the Legacy Policy and the new Default Policy. The Legacy Policy reflects the org settings present when Group Password Policy was enabled and includes the Legacy Rule and the additional Default Rule.

The default rule can't be edited.
The Password Expired count for users on the People page isn't displayed when Group Password Policy is enabled. See Expire all user passwords.

Use a group password policy

With group password policies, you can:

Define password policies and associated rules to enforce password settings on the group and authentication-provider level.
Create multiple policies with more or less restrictive rules and apply them to different groups.
Use policies to enforce the use of strong passwords to better protect your organization's assets.

An error can occur during provisioning when a user's Okta password meets the password policies requirements while the password policy itself doesn't. Ensure that the Okta password policy meets the app's requirements: typically, eight characters or more, with an uppercase and lowercase character and either a symbol or number.

Active Directory and LDAP-sourced users

Group Password Policies are enforced only for Okta and Active Directory (AD) and LDAP-sourced users.

For AD and LDAP-sourced users, ensure that your AD and LDAP password policies don't conflict with Okta policies. The directory service manages passwords for AD and LDAP-sourced users. Some apps check the Okta password policy when they provision users. For example, Microsoft Office 365 and Google G Suite verify that the Okta password policy meets the app's password requirements.
Previous Group Password Policy options aren't retained after the LDAP Group Password Policy feature is disabled.
When the LDAP Group Password Policy is enabled, a customized password policy message can't be used and previous password policy messages aren't applied.
When LDAP delegated authentication is disabled, the LDAP Group Password Policy no longer applies to LDAP-sourced users.

The default password policy is applied when a user is created. Group assignment on password policy isn't evaluated when a user is created.

Password policy ranking and evaluation

Okta provides a default policy that enforces the use of strong passwords to better protect your organization's assets. You can also create other policies that are less or more restrictive and apply them to users based on group membership.

When you add a password policy, it appears at the top of the list of policies, above the default policy. You can re-order all policies except the default one. Click and drag a policy to its new location in the list. Place more restrictive policies above less restrictive ones. Okta evaluates them in the order in which they appear in the list, starting at the top. It stops evaluating the policies when the user's sign-in attempt matches a policy.

When a user sets or changes their password, Okta evaluates the password against the requirements in your password policies. Okta rejects the password if it doesn't meet the complexity requirements of the policy that applies to the user.

For AD and LDAP-sourced users, the AD and LDAP complexity requirements should match the AD and LDAP instances. Ensure that all AD and LDAP password policies don't conflict with Okta password policies.

See Configure a password policy.

Password Policy types

There are four types of password policies:

Default policy	All Okta-sourced users are subject to the Default Policy unless another policy applies. The Default Policy can't be deactivated or deleted, and always holds the lowest ranking within the policy list.
Legacy Policy	In previous versions of the platform, password policy settings were on the SecurityGeneral page. For orgs that were created before Group Password Policy was enabled, the Legacy policy and associated Legacy rules are preserved. Existing password policy settings for an org are copied to the Legacy Policy. All Legacy policy and rule settings are configurable.
Active Directory Policy	If you currently have any AD integrations, an AD policy is automatically created for you. You can customize the elements of the policy and its rules.
LDAP Policy	If you currently have any LDAP integrations, an LDAP policy is automatically created for you. You can customize the elements of the policy and its rules

Password complexity requirements

Complex passwords increase the security of your users' accounts. When you configure the password complexity requirements, consider the following information: