Use password policy
This document shows you how to use password policy to improve password strength for your new and existing users.
Overview
With password policy you can improve account security by enforcing password complexity requirements. When you enable the feature, you provide a policy that sets the requirements for passwords. You can use password policy as follows:
- Off: the feature is disabled and users can use any password.
Enforced: policy compliance is enforced as follows:
Existing users: for existing users, you can configure one of the following modes:
- Require mode (
"forceUpgradeOnSignin":true): attempts to sign in fail until the user updates to a policy-compliant password. - Notify mode (
"forceUpgradeOnSignin":false): users are allowed to sign in, but receive a notification to update their password.
- Require mode (
New or password-reset users: these users are required to choose a password that complies with the policy.
password policy supports the following password requirements:
- Lowercase character required
- Uppercase character required
- Numeric character required
- Non-alphanumeric character required
- Minimum password length
- Maximum password length
The following characters satisfy the non-alphanumeric character requirement if configured:
^ $ * . [ ] { } ( ) ? " ! @ # % & / \ , > < ' : ; | _ ~ `
Before you begin
- Preview access: Ask your Google Cloud account team to request access to the password policy preview for your project. Your account team notifies you when you have been granted access to the preview.
- Configure email sign-in.
Enable password policy
Scope to a tenant
If you are using multi-tenancy, password policy is configured on a per-tenant basis. To learn how to select a tenant, see Selecting a tenant.
Configure password policy
curl
To enable password policy in notify mode, execute the following command:
curl -i -X PATCH -H 'Content-Type: application/json' -H 'Authorization: Bearer ACCESS_TOKEN' -d '
{
"passwordPolicyConfig": {
"passwordPolicyEnforcementState": "ENFORCE",
"forceUpgradeOnSignin": false,
"passwordPolicyVersions": [
{
"customStrengthOptions": {
"containsUppercaseCharacter": true,
"containsLowercaseCharacter": true,
"containsNumericCharacter": true,
"containsNonAlphanumericCharacter": true,
"minPasswordLength": 8,
"maxPasswordLength": 30
},
},
],
},
}' https://identitytoolkit.googleapis.com/v2/projects/project-id/config?updateMask=passwordPolicyConfig
To enable password policy in require mode, execute the following command:
curl -i -X PATCH -H 'Content-Type: application/json' -H 'Authorization: Bearer ACCESS_TOKEN' -d '
{
"passwordPolicyConfig": {
"passwordPolicyEnforcementState": "ENFORCE",
"forceUpgradeOnSignin": true,
"passwordPolicyVersions": [
{
"customStrengthOptions": {
"containsUppercaseCharacter": true,
"containsLowercaseCharacter": true,
"containsNumericCharacter": true,
"containsNonAlphanumericCharacter": true,
"minPasswordLength": 8,
"maxPasswordLength": 30
},
},
],
},
}' https://identitytoolkit.googleapis.com/v2/projects/project-id/config?updateMask=passwordPolicyConfig
Disable password policy
curl
To disable password policy, execute the following command:
curl -i -X PATCH -H 'Content-Type: application/json' -H 'Authorization: Bearer ACCESS_TOKEN' -d '
{
"passwordPolicyConfig": {
"passwordPolicyEnforcementState": "OFF",
"forceUpgradeOnSignin": false,
"passwordPolicyVersions": [
{
"customStrengthOptions": {
"containsUppercaseCharacter": true,
"containsLowercaseCharacter": true,
"containsNumericCharacter": true,
"containsNonAlphanumericCharacter": true,
"minPasswordLength": 8,
"maxPasswordLength": 30
},
},
],
},
}' https://identitytoolkit.googleapis.com/v2/projects/project-id/config?updateMask=passwordPolicyConfig