Skip to content

Password Policies

Account administrators control the password rules that apply to every user in their account. New accounts default to the modern NIST 800-63B-4 guidance: a longer minimum length, a check against breached passwords, and no forced character classes or periodic rotation.

Existing accounts keep their previous individual settings until an administrator changes them. The new defaults are not applied retroactively.

Where to find it

Account Settings → Security → Password

The policy applies to every password your users set, including signup, self-service password change, forgot-password reset, administrator-forced reset, and account activation from an invitation.

Settings

Each setting is its own card on the page; changes are saved per card.

Minimum password length

The shortest password a user is allowed to set. Configurable from 8 to 128 characters. The default for new accounts is 15 (the NIST single-factor floor).

Whitespace is allowed and counts toward length. Passphrases like correct horse battery staple are valid.

Require an uppercase letter / lowercase letter / digit / symbol

Four independent toggles. When on, the password must contain at least one character of that class. "Symbol" means any character that is not a letter, digit, or whitespace — punctuation, currency marks, and Unicode symbols all qualify.

All four are off by default for new accounts. NIST advises against composition requirements on the grounds that they push users toward predictable patterns (Password1!) without measurably strengthening passwords.

Block known-breached passwords

When enabled, candidate passwords are checked against the Have I Been Pwned breached-password corpus. Passwords that appear in any known breach are rejected with the message "This password has appeared in known data breaches. Please choose another."

The check uses the k-anonymity range API: only the first five characters of the SHA-1 hash of the candidate password are sent to the HIBP service. The full password and its full hash never leave LeapFILE.

On by default for new accounts.

Block previously used passwords

Blocks reuse of any of the user's most recent N passwords. The depth is configurable from 1 to 50. Off by default for new accounts; NIST does not require history checking.

Password expiration

Forces users to reset their password after a specified number of days (minimum 1). Off by default for new accounts. NIST advises against periodic forced rotation; only require a change when there is evidence of compromise. Schedule-based expiration tends to produce weaker passwords (Password1Password2) without addressing the threats it was meant to mitigate.

Allow users to reset their password

Controls whether users can initiate their own password reset from the login page. When off, only an administrator can reset a user's password.

How rules are evaluated

When a user submits a new password, rules are checked in this order. The first failure is reported; later rules are not evaluated until the earlier ones pass:

  1. Minimum length
  2. Required uppercase / lowercase / digit / symbol (in that order, only the enabled ones)
  3. Breach check (only if enabled)
  4. Password reuse history (skipped on signup, since the user has no history)

A user with a too-short password sees the length error first and won't yet know about a composition or breach problem. Communicate the full rule set in advance — see below.

What your users see

The password-set screens display the active rules as a checklist so users know what's required before they type. With the default settings for a new account, that checklist reads:

  • Be at least 15 characters
  • Not appear in any known data breach

On the change-password screen, if password reuse history is on, an additional bullet appears:

  • Be different from your last N passwords

Composition bullets are added only for the requirements you have enabled.

Recommendations

  • New accounts: keep the defaults. The NIST-aligned settings are both more secure and less frustrating for users than traditional composition rules.
  • Existing accounts: plan a switch to the NIST-aligned settings. Communicate the change to your users before turning on the breach check or raising the minimum length. Existing stored passwords remain valid; the new rules apply the next time each user sets a password.
  • Avoid layering composition on top of length. Requiring a symbol and 15 characters does not measurably increase strength but does measurably increase support tickets.
  • Leave password expiration off unless a contractual or regulatory obligation requires it. Schedule-based rotation is no longer a security recommendation.