Enable strong password settings for password policies

Password policies allow you to define authentication policies and associated rules to enforce password settings for your end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using apps to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control..


HealthInsight: Why is this task recommended?

This a HealthInsight security task. For more security recommendations from Okta, see HealthInsight.

Enable strong password settings to enforce strict password policies that define settings for password lockout, history, minimum age, and minimum length.

Security impact: Low

End-user impact: Moderate

Okta recommends: Define password policies to specify a password lockout, history, minimum age, and minimum length of 8 characters and disallow common passwords.


Recommended settings

Lock out Specify the maximum number of invalid password attempts before locking the user's account. This provides protection against brute-force password attacks.
Minimum length Specify a minimum password length of at least 8 characters. Longer passwords provide greater protection against brute force attacks.
History Specify the number of distinct passwords users must create before reusing a password. This prevents users from reusing a previous password when resetting their password. If there is a compromise that requires a password reset, you want to ensure users can't reuse compromised credentials.
Password age Specify the minimum time interval required between password changes. This setting prevents users from bypassing the enforce password history requirement.
Common Password Check Restrict the use of common passwords.


End-user experience and impact


Note the following about how end users are impacted when password settings are configured:


Users will be unable to access their accounts after multiple failed sign-ins.

When users are locked out, the account unlock options available to the users are specified by password policy lockout settings and policy rules defined by the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page.. If no self-service or auto-unlock settings are enabled, users are required to contact the admin to unlock the account. The number of attempts should take into account both typical user sign-in patterns and security.


A lockout policy allowing only a low number of attempts may cause more lockout incidents. For example, users may mistype passwords when signing in from a mobile device or when they have recently changed their passwords. Some applications may auto-retry cached passwords when they're changed, resulting in user lockouts. However, a lockout policy with too high allowed attempts increases the risk of credential attacks.

Minimum length

Longer passwords are more difficult for users to remember, especially when combined with other complexity requirements (e.g. require uppercase, lowercase, symbols, etc).

The National Institute of Standards and Technology (NIST) recommends longer passwords which are easy to remember (“phrase-like”) but more difficult to obtain from brute force attacks.


Enforcing a password history requires users to use a new password when resetting their password. This may result in an increased number of lockouts or password resets due to users forgetting their password.

Password age

Enforcing password age will prevent users from being able to self-service password reset if they forget their new password following a password reset and the required password has not reached the specified password age.

Admins should take this into account when setting the password age. A shorter password age can be balanced with a longer password history to prevent password reuse.

Common Password Check A user who is setting a password that matches one that is found on a list of commonly used passwords will be unable to use that password.



To configure password settings for password policies:

  1. From the admin console menu, click to Security > AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect..
  2. From the Password tab, review each policy. To edit the policy, click Edit.

    Editing an authentication policy in the admin console.

  3. Edit the password settings within the policy based on the recommendations.

    Editing an authentication policy in the admin console.

  4. To enable each setting, select the box next to Password History, Password Age, Lock out, and Common Password Check.


Related topics