About password policies
Password policies enables admins to define password policies and associated rules that enforce password settings at the group and authentication-provider level. Okta provides a default policy to enforce the use of strong passwords to better protect your organization's assets. Admins can also create additional policies that are less or more restrictive and apply them to users based on group membership.
Group Password Policy is now enabled for all orgs:
- The Password tab on the Authentication page displays all group password policies. Initially, only the Default Policy and the Default Rule appear.
If Group Password Policy was previously not enabled, the Password tab now displays the Legacy Policy and the new Default Policy. The Legacy Policy reflects the org settings present when Group Password Policy was enabled and includes the Legacy Rule and the additional Default Rule.
- The Password Expired count for users on the People page is not displayed when Group Password Policy is enabled. See Expire all user passwords.
The default policy cannot be edited.
Using Group Password Policy
With group password policies, you can:
- Define password policies and associated rules to enforce password settings on the group and authentication-provider level.
- Create multiple policies with more or less restrictive rules and apply them to different groups.
- Use policies to enforce the use of strong passwords to better protect your organization's assets.
An error can occur during provisioning when user's Okta password meets the password policies requirements while the password policy itself does not. Ensure that the Okta password policy meets the application's requirements, typically, eight characters with an upper and lower case character and either a symbol or number.
Active Directory (AD) and LDAP mastered users
Group Password Policies are enforced only for Okta and Active Directory (AD) and LDAP mastered users.
- For AD and LDAP mastered users, ensure that your AD and LDAP password policies don't conflict with Okta policies. Passwords for AD and LDAP mastered users are still managed by the directory service. For example, some applications, such as Microsoft Office 365 and Google G Suite, check an Okta password policy when provisioning a user to ensure that the Okta policy meets the application's password requirements.
Previous Group Password Policy options are not retained after the LDAP Group Password Policy feature is disabled.
When the LDAP Group Password Policy feature is enabled, a custom password policy message cannot be used and previous password policy messages are not applied.
When LDAP delegated authentication is disabled, the LDAP Group Password Policy no longer applies to LDAP mastered users.
The default password policy is applied when a user is created. Group assignment on password policy is not evaluated when user is created.
Password Policy evaluation
A password policy is evaluated using the following criteria:
- Complex requirements are evaluated when the password is set.
- On the current policy and when the user last set their password, unless the user's password is already expired in which case it remains expired.
- For AD and LDAP mastered users, the AD and LDAP complexity requirements should match the AD and LDAP instances.
Ensure that all AD and LDAP password policies don't conflict with policies.
There are four types of password policies:
All Okta-mastered users are subject to the Default Policy unless another policy applies. The Default Policy cannot be deactivated or deleted, and always holds the lowest ranking within the policy list.
In previous versions of the platform, password policy settings were located on the Security > General page. For orgs that were created before Group Password Policy was enabled, the Legacy policy and associated Legacy rules are preserved. Existing password policy settings for an org are copied to the Legacy Policy. All Legacy policy and rule settings are configurable.
|Active Directory Policy||If you currently have one or more Active Directory (AD) integrations, an AD policy is automatically created for you. You can customize the elements of the policy and its rules.|
|LDAP Policy||If you currently have one or more LDAP integrations, an LDAP policy is automatically created for you. You can customize the elements of the policy and its rules|
Complex passwords increase the security of your users' accounts. When configuring password complexity requirement, consider the following information:
For AD-mastered users, these requirements are set and enforced by AD; no enforcement is triggered by Okta settings. Therefore, ensure that these settings duplicate the minimum settings of AD.
- For LDAP-mastered users, these requirements are set and enforced by LDAP; no enforcement is triggered by Okta settings. Therefore, ensure that these settings duplicate the minimum settings of LDAP.
For non AD and LDAP mastered users:
Does not contain part of username: A username is defined by the string that precedes the @ symbol in a given email address. For example, in firstname.lastname@example.org, the username is johnsmith. Checking this option rejects any password that contains part or all of the username.
For non AD and LDAP mastered users, selecting the Does not contain first name or Does not contain last name option excludes all of the user's first name or last name in its entirety. Checking this option ensures that a password cannot contain all of the first or last name. This option only applies to names that are at least three characters long and is not case sensitive.