Configure the Password authenticator

The Password authenticator enables you to require users to provide a password when signing in to Okta or one of your apps.

Passwords consist of a string of characters that the user types into a password field on the Sign-In Widget. Admins can customize the complexity of passwords, configure their age, expiry and history, and enable lockout conditions.

The Password authenticator is active by default. To use the Password authenticator, you configure a password policy and rules for it.

Configure a password policy

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Setup tab, find the Password item in the list of authenticators and click Actions > Edit.
  3. Okta provides a default policy that you can customize, or you can create your own.
    • To customize the default policy, select Default Policy in the list and click Edit.
    • To create your own password policy, click Add New Password Policy and complete these fields:
      • Policy name: Type a descriptive name for this policy.
      • Policy description: Type a description of what this policy does, and to whom it applies.
      • Add group: Start typing the name of groups of users to whom the policy will apply. As you type, Okta suggests groups that match your text. Select the desired group from the list. See About groups for information on creating groups of users.
      • Applies to: Select the authentication provider to which you want to apply this password policy.
  4. Configure the Password Settings options:
    • Minimum length: Require a minimum number of characters in passwords.
    • Complexity requirements: Require various character types and other attributes in passwords.
    • Common password check: When you select this option, Okta compares the user's password to a database of commonly used passwords and blocks a password from being used if it's found in the database.
    • Password age: Select options that control how long users can use passwords, how often they can reuse them and when they're prompted to change their password.
    • Lock out: Set the number of times an incorrect password may be entered before the account is locked, how long the account remains locked and select the notifications shown or sent by Okta.
    • To prevent Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) lockouts, make sure that the number entered for Lock out user after <#> unsuccessful attempts is lower than the failed sign-in attempt limit configured in AD and LDAP. For example, if the maximum number of failed Windows sign-in attempts is set to 10 in AD and LDAP, Okta recommends setting your maximum Okta failed sign-in limit to 9. If an end-user exceeds the sign-in limit set in Okta, additional failed attempts are not sent to AD or LDAP, and this prevents users from locking themselves out of their Windows account. In AD, locked-out Okta users can use self-service account unlock or seek help from an Okta admin. Locked LDAP-sourced accounts can't be unlocked by users and must be unlocked by an admin.

  5. Click Create Policy if you created a new policy, or Update Policy if you edited the default or an existing policy.
  6. Create rules for this policy. See Add a password policy rule for instructions.

Add a password policy rule

Password policy rules allow you to determine which self-service actions are available to users, how users can initiate recovery, and whether additional verification is required during recovery. They also allow you to exclude individual users from the password policy, or restrict the password policy to users attempting to access Okta from network zones that you specify.

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Setup tab, find the Password item in the list of authenticators and click Actions > Edit.
  3. Select the password policy to which you want to add a rule and click Add Rule.
  4. Complete the following fields and options:
    • Rule Name: Type a name for the rule.
    • Exclude Users: Start typing the name of a user you want to exclude from the rule. As you type, Okta suggests usernames that match your text. Select the desired user from the list. Repeat for each additional user you want to exclude.
    • IF User's IP is:
      • Anywhere: Apply the rule to all users regardless of whether or not their IP address is listed in the Public Gateway IPs list.
      • In zone: Apply the rule to users in all or specific network zones.
        • All Zones: Select this checkbox to apply this rule to users in all zones.
        • Zones: Apply this rule to users in network zones that you specify. Start typing the name of a zone. As you type, Okta suggests zone names that match your text. Select the desired zone from the list. Repeat for each additional zone you want to add.
      • Not in zone: Apply the rule to exclude users in all zones or in specific zones.
        • All Zones: Select this checkbox to exclude users in all zones.
        • Zones: Apply this rule to exclude users in network zones that you specify. Start typing the name of a zone. As you type, Okta suggests zone names that match your text. Select the desired zone from the list. Repeat for each additional zone you want to add.
      • See Network Zones for information on the Public Gateway IPs list and other IP Zones features.

    • THEN User can perform self-service:
      • Password change (from account settings): Allow users to change their password and make the perform self-service password reset option available to them.
      • Password reset: Allow users who are unable to sign in or who forgot their password to perform self-service password resets and make the Forgot password? link appear on the Sign-In Widget.
      • Unlock account: Allow users to unlock their account by clicking the Unlock account? link on the Sign-In Widget.
      • When you select the Unlock account option, LDAP-sourced Okta user accounts are unlocked in Okta but remain locked in the on-premises LDAP instance. If you do not allow self-service unlock, see Reset an individual user password for other options.

  5. Configure ways for users to initiate recovery and provide additional verification:
    • AND Users can initiate recovery with:
    • AND Additional verification is:
      • Not required: Select this option if you don't require additional verification from users during recovery.
      • Any enrolled authenticator used for MFA/SSO: Allow users to use any enrolled authenticator for recovery.
      • Only Security Question: Only allow users to use a Security Question for recovery. See Configure the Security Question authenticator.
  6. Click Create Rule.

End-user experience

End users create an Okta password according to the syntax, minimum length, age, and history requirements in your password policy. Unless an authentication policy rule for passwordless authentication is enabled, end users are always prompted for a password.

Notes

  • If you want to allow end users who have forgotten their password to be able to reset passwords using Phone, Email, or Security Question, you can use the options here to configure the authentication required.
  • If end users forget their passwords, they can select from the authentication options available here. Users will be prompted to enroll in recovery authenticators the first time they sign in.
  • Admins can make recovery authenticators required using the Authenticator Enrollment policy. On the Enrollment tab, click Edit and configure the Active users must first authenticate with option to indicate whether any of the other factors must be authenticated before the password.

Current limitations

  • Active Directory users are not yet supported.
  • Delegated authentication to Active Directory isn't currently supported.
  • Warning users an admin-configured number of days prior to password expiration isn't currently supported.
  • Setting the expiration time for Reset and Unlock account recovery emails isn't supported.

Related topics

Self-service account recovery

Configure the Email authenticator

Configure the Phone authenticator

Configure a FIDO2 (WebAuthn) authenticator

Configure the Security Question authenticator