ContextQMD
Back to Authentik

Password Uniqueness Policy

website/docs/customize/policies/unique_password.md

latest2.3 KB
Original Source

The Password Uniqueness policy prevents users from reusing their previous passwords when setting a new password. To use this feature, you will need to create a Password Uniqueness policy, using the instructions below.

How it works

This policy maintains a record of previously used passwords for each user. When a new password is created, it is compared against this historical log. If a match is found with any previous password, the policy is not met, and the user is required to choose a different password.

The password history is maintained automatically when this policy is in use. Old password hashes are stored securely in authentik's database.

:::info This policy takes effect after the first password change following policy activation. Before that first change, there's no password history data to compare against. :::

Integration with other policies

For comprehensive password security, consider using this policy alongside:

Implement a Password Uniqueness policy

To implement a policy that prevents users from reusing their previous passwords, follow these steps:

  1. In the Admin interface, navigate to Customization > Policies.
  2. Click Create to define a new Password Uniqueness Policy.
    • Name: provide a descriptive name for the policy.
    • Password field: enter the name of the input field to check for the new password. By default, if no custom flows are used, the field name is password. This field name must match the field name used in your Prompt stage.
    • Number of previous passwords to check: enter the number of past passwords that you want to set as the number of previous passwords that are checked and stored for each user, with a default of 1. For instance, if set to 3, users will not be able to reuse any of their last 3 passwords.
  3. Bind the policy to your password prompt stage: For example, if you're using the default-password-change flow, edit the default-password-change-prompt stage and add the policy in the Validation Policies section.

:::info Password history records are stored securely and cannot be used to reconstruct original passwords. :::