Stay organized with collections Save and categorize content based on your preferences.

Use password policy

This document shows you how to use password policy to improve password strength for your new and existing users.

Overview

With password policy you can improve account security by enforcing password complexity requirements. When you enable the feature, you provide a policy that sets the requirements for passwords. You can use password policy as follows:

  • Off: the feature is disabled and users can use any password.
  • Enforced: policy compliance is enforced as follows:

    • Existing users: for existing users, you can configure one of the following modes:

      • Require mode ("forceUpgradeOnSignin":true): attempts to sign in fail until the user updates to a policy-compliant password.
      • Notify mode ("forceUpgradeOnSignin":false): users are allowed to sign in, but receive a notification to update their password.
    • New or password-reset users: these users are required to choose a password that complies with the policy.

password policy supports the following password requirements:

  • Lowercase character required
  • Uppercase character required
  • Numeric character required
  • Non-alphanumeric character required
  • Minimum password length
  • Maximum password length

The following characters satisfy the non-alphanumeric character requirement if configured:

  • ^ $ * . [ ] { } ( ) ? " ! @ # % & / \ , > < ' : ; | _ ~ `

Before you begin

  • Preview access: Ask your Google Cloud account team to request access to the password policy preview for your project. Your account team notifies you when you have been granted access to the preview.
  • Configure email sign-in.

Enable password policy

Scope to a tenant

If you are using multi-tenancy, password policy is configured on a per-tenant basis. To learn how to select a tenant, see Selecting a tenant.

Configure password policy

curl

To enable password policy in notify mode, execute the following command:

curl -i -X PATCH -H 'Content-Type: application/json' -H 'Authorization: Bearer ACCESS_TOKEN' -d '
  {
    "passwordPolicyConfig": {
      "passwordPolicyEnforcementState": "ENFORCE",
      "forceUpgradeOnSignin": false,
      "passwordPolicyVersions": [
        {
          "customStrengthOptions": {
            "containsUppercaseCharacter": true,
            "containsLowercaseCharacter": true,
            "containsNumericCharacter": true,
            "containsNonAlphanumericCharacter": true,
            "minPasswordLength": 8,
            "maxPasswordLength": 30
          },
        },
      ],
    },
  }' https://identitytoolkit.googleapis.com/v2/projects/project-id/config?updateMask=passwordPolicyConfig

To enable password policy in require mode, execute the following command:

curl -i -X PATCH -H 'Content-Type: application/json' -H 'Authorization: Bearer ACCESS_TOKEN' -d '
  {
    "passwordPolicyConfig": {
      "passwordPolicyEnforcementState": "ENFORCE",
      "forceUpgradeOnSignin": true,
      "passwordPolicyVersions": [
        {
          "customStrengthOptions": {
            "containsUppercaseCharacter": true,
            "containsLowercaseCharacter": true,
            "containsNumericCharacter": true,
            "containsNonAlphanumericCharacter": true,
            "minPasswordLength": 8,
            "maxPasswordLength": 30
          },
        },
      ],
    },
  }' https://identitytoolkit.googleapis.com/v2/projects/project-id/config?updateMask=passwordPolicyConfig

Admin SDK

Important: Complete Installing the Admin SDK before proceeding.

To enable password policy in notify mode, execute the following code:

// Get project config
const getProjectConfig = () => {
  getAuth().projectConfigManager().getProjectConfig()
  .then((response) => {
    console.log('Project password policy config: ', response.passwordPolicyConfig);
  }).catch((error) => {
    console.log('Error getting project config:', error);
  });
}

// Update project config with password policy config
const updateConfigRequest = {
  passwordPolicyConfig: {
    passwordPolicyEnforcementState: "ENFORCE",
    forceUpgradeOnSignin: false,
    passwordPolicyVersions: [
      {
        customStrengthOptions: {
          containsNumericCharacter: true,
          containsLowercaseCharacter: true,
          containsNonAlphanumericCharacter: true,
          containsUppercaseCharacter: true,
          maxPasswordLength: 30,
          minPasswordLength: 8
        }
      }
    ],
  }
};
const updateProjectConfigWithPasswordPolicy = () => {
  getAuth().projectConfigManager().updateProjectConfig(updateConfigRequest).then((response) => {
    console.log('Updated password policy config for project: ', response.passwordPolicyConfig);
  }).catch((error) => {
    console.log('Error updating project config:', error);
  });
}

To enable password policy in require mode, execute the following code:

// Get project config
const getProjectConfig = () => {
  getAuth().projectConfigManager().getProjectConfig()
  .then((response) => {
    console.log('Project password policy config: ', response.passwordPolicyConfig);
  }).catch((error) => {
    console.log('Error getting project config:', error);
  });
}

// Update project config with password policy config
const updateConfigRequest = {
  passwordPolicyConfig: {
    passwordPolicyEnforcementState: "ENFORCE",
    forceUpgradeOnSignin: true,
    passwordPolicyVersions: [
      {
        customStrengthOptions: {
          containsNumericCharacter: true,
          containsLowercaseCharacter: true,
          containsNonAlphanumericCharacter: true,
          containsUppercaseCharacter: true,
          maxPasswordLength: 30,
          minPasswordLength: 8
        }
      }
    ],
  }
};
const updateProjectConfigWithPasswordPolicy = () => {
  getAuth().projectConfigManager().updateProjectConfig(updateConfigRequest).then((response) => {
    console.log('Updated password policy config for project: ', response.passwordPolicyConfig);
  }).catch((error) => {
    console.log('Error updating project config:', error);
  });
}

Disable password policy

curl

To disable password policy, execute the following command:

curl -i -X PATCH -H 'Content-Type: application/json' -H 'Authorization: Bearer ACCESS_TOKEN' -d '
  {
    "passwordPolicyConfig": {
      "passwordPolicyEnforcementState": "OFF",
      "forceUpgradeOnSignin": false,
      "passwordPolicyVersions": [
        {
          "customStrengthOptions": {
            "containsUppercaseCharacter": true,
            "containsLowercaseCharacter": true,
            "containsNumericCharacter": true,
            "containsNonAlphanumericCharacter": true,
            "minPasswordLength": 8,
            "maxPasswordLength": 30
          },
        },
      ],
    },
  }' https://identitytoolkit.googleapis.com/v2/projects/project-id/config?updateMask=passwordPolicyConfig

Admin SDK

Important: Complete Installing the Admin SDK before proceeding.

To disable password policy, execute the following code:

// Get project config
const getProjectConfig = () => {
  getAuth().projectConfigManager().getProjectConfig()
  .then((response) => {
    console.log('Project password policy config: ', response.passwordPolicyConfig);
  }).catch((error) => {
    console.log('Error getting project config:', error);
  });
}

// Update project config with password policy config
const updateConfigRequest = {
  passwordPolicyConfig: {
    passwordPolicyEnforcementState: "OFF",
    forceUpgradeOnSignin: false,
    passwordPolicyVersions: [
      {
        customStrengthOptions: {
          containsNumericCharacter: true,
          containsLowercaseCharacter: true,
          containsNonAlphanumericCharacter: true,
          containsUppercaseCharacter: true,
          maxPasswordLength: 30,
          minPasswordLength: 8
        }
      }
    ],
  }
};
const updateProjectConfigWithPasswordPolicy = () => {
  getAuth().projectConfigManager().updateProjectConfig(updateConfigRequest).then((response) => {
    console.log('Updated password policy config for project: ', response.passwordPolicyConfig);
  }).catch((error) => {
    console.log('Error updating project config:', error);
  });
}