> ## Documentation Index
> Fetch the complete documentation index at: https://enterprise-docs.dify.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Password Policy

## 1. Overview

To meet enterprise compliance requirements for admin passwords, the Admin Console supports a flexible, configurable password policy that covers password complexity, expiration, and expiration reminders, balancing security, maintainability, and user experience.

Administrators can configure the following in the UI:

* Password complexity (length, character classes, consecutive character restrictions)
* Password expiration and expiration reminders

The system provides a default policy and enforces non-reducible boundaries on certain items to ensure compliance and security.

***

## 2. Configuration

### 2.1 Navigation

`Admin Console > Settings > Password Policy`

### 2.2 Password Complexity Policy

| Item                       | Default               |
| -------------------------- | --------------------- |
| Minimum password length    | Cannot be set below 8 |
| Must include uppercase     | true                  |
| Must include lowercase     | true                  |
| Must include numbers       | true                  |
| Must include special chars | false                 |
| Disallow repeated chars    | false                 |
| Disallow ascending chars   | false                 |

Notes:

* After the configuration is updated, the complexity rules take effect immediately.
  * Administrators who are currently signed out can still sign in with their existing password/SSO:
    * If the current password does not meet the new rules, they must change it after signing in.
    * If the current password meets the new rules, they are not affected.
    * Administrators who are already signed in are not affected until their next sign-in.
    * On their first SSO sign-in after the policy update, administrators will be required to update their local password to complete the compliance check.

### 2.3 Password Expiration and Reminders

| Item                     | Default | Notes                                 |
| ------------------------ | ------- | ------------------------------------- |
| Enable expiration        | false   | Takes effect immediately when enabled |
| Expiration period (days) | 90      | Minimum 1 day, maximum 3650 days      |

* After a successful password change, you must sign in again.

### 2.4 Force Password Change on First Sign-in for New Users

* New users created in the Admin Console or users whose password has been reset will be required to change their password upon first sign-in until the new password satisfies the current password complexity policy.

***

## 4. Notes

* The minimum password length cannot be less than 8; the maximum length is fixed at 64.
* The allowed special character set is fixed: `!@#$%^&*()-_+=[]{}|;:,.?/`.
* Weak-password dictionary blocking is enabled by default and cannot be turned off.
* Policy changes do not immediately affect administrators who are already signed in; they take effect on next sign-in.
* Administrators who use SSO only may be required to set/update a local password after a policy update to complete compliance checks.
* The current version does not provide role/permission-specific password policies; the policy is uniform for all system users.

***

## 5. FAQ

**Q1: Why can’t the minimum password length be set below 8?**

To meet compliance and security requirements, the system enforces a minimum of 8.

**Q2: Is preventing reuse of recent passwords (e.g., last 5) supported?**

This capability is not available in the current version. Future Enterprise Edition releases will evaluate differentiated and more advanced compliance modules.

**Q3: Are administrators who only use SSO affected by the password policy?**

Yes. After the policy is updated, on their first SSO sign-in, they will be required to update their local password to complete the compliance check.
