Configuring a Password Policy

Password policies enhance the security of your installation. You can use the default policy that ships with Liferay (modified or as is), or you can create your own policies. Policies can be assigned to users or organizations.

Note

The default password policy gets assigned to all new users. If you want to associate users with a custom password policy, you must assign them as members of that policy.

Modifying the Default Password Policy

To change the default policy,

Navigate to Control Panel → Security → Password Policies.
Click Actions () next to the Default Password Policy and click Edit.
Make your desired changes in the configuration window.
Click Save.

Policy Configuration Reference

Password Changes: Allow or prevent password changes, control the expiry of passwords, and set a time limit on the validity of password reset links. These are the customizable options:

Changeable Liferay DXP 2023.Q4+/Portal GA92+: If checked, users can change their passwords. If unchecked, the Password navigation tab isn’t visible to the user via Account Settings and the Users and Organizations application.
Change Required: If checked, users must change their passwords when they first log in.
Minimum Age: Determines how long users must wait before changing their passwords again.
Reset Ticket Max Age: Determines the validity of a password reset link.

Password Syntax Checking: Require a certain syntax when choosing a password. You can disallow dictionary words, set a minimum length, and more in this section.

Password History: Decide how many passwords to keep in the history, preventing old passwords from being reused.

Password Expiration: If passwords expire, specify how long passwords are valid, when and whether a warning is sent, and a Grace Limit: how many logins are allowed after the password is expired before forcing a password change.

Lockout: Set a maximum number of failed authentication attempts before the account is locked, how long the number of attempts is stored, and how long the lockout lasts.

Important

When a user belongs to multiple organizations with different password policies, Liferay applies the policy from the first organization it finds. The order is not guaranteed, so it’s best to maintain consistent password policies across all organizations.

Modifying the Default Password Policy Using Portal Properties

You can also modify any of these configurations using portal properties. These are the default values:

passwords.default.policy.allow.dictionary.words=true
passwords.default.policy.changeable=true
passwords.default.policy.change.required=true
passwords.default.policy.check.syntax=false
passwords.default.policy.expireable=false
passwords.default.policy.grace.limit=0
passwords.default.policy.history=false
passwords.default.policy.history.count=6
passwords.default.policy.lockout=false
passwords.default.policy.lockout.duration=0
passwords.default.policy.max.age=8640000
passwords.default.policy.max.failure=3
passwords.default.policy.min.age=0
passwords.default.policy.min.alphanumeric=0
passwords.default.policy.min.length=6
passwords.default.policy.min.lowercase=0
passwords.default.policy.min.numbers=1
passwords.default.policy.min.symbols=0
passwords.default.policy.min.uppercase=1
passwords.default.policy.name=Default Password Policy
passwords.default.policy.regex=(?=.{4})(?:[a-zA-Z0-9]*)
passwords.default.policy.reset.failure.count=600
passwords.default.policy.reset.ticket.max.age=86400
passwords.default.policy.warning.time=86400

The only mandatory property is passwords.default.policy.name. You must change the default policy name for any of your other policy changes to take effect.

Creating a Custom Password Policy

A custom password policy might be useful in some scenarios. For example, you may want certain users or user groups to have stricter password rules. To create a custom policy,

Navigate to Control Panel → Security → Password Policies.
Click the Add () icon to add a new policy.
In the configuration window, provide a name and description for your password policy.
Set the properties for your policy (see above). When finished, click Save.

Assigning Members to a Password Policy

Click Actions () next to the password policy → Assign Members.
You can add individual users or organizations to the password policy. Click the Add () icon and a new form pops up.
Make your selection (of users or organizations). When finished, click Add.

Your users or organizations are now associated with your password policy.

Using the Properties File

During the initial setup of your Liferay instance, you can create a custom password policy using the portal-ext.properties file. Add the properties and values you want to customize into the file. Make sure to add a name for your password policy.

For example, if you wanted to have a custom password policy that required a minimum length, numbers, symbols you might have these values set:

#
# Properties for a Custom Password Policy
#

...
passwords.default.policy.name=Custom Password Policy
passwords.default.policy.check.syntax=true
passwords.default.policy.min.length=10
passwords.default.policy.min.numbers=1
passwords.default.policy.min.symbols=1
...

Note

You can only use portal properties to create a custom password policy during initial Liferay instance setup. To modify it afterwards, you must use the control panel UI. To modify the default password policy, you must also use the control panel UI.

See the reference below for a full list of properties that you can use to customize your password policy.

Once you have your portal-ext.properties file, place it in the [Liferay Home] folder. Learn more about portal properties or if using Docker, configuring a Docker container.

Password Properties Reference

Property	Default Value	Description
`passwords.default.policy.allow.dictionary.words`	true	Common dictionary words are allowed as the user’s passwords.
`passwords.default.policy.changeable`	true	Users can change their passwords.
`passwords.default.policy.change.required`	true	Users are required to change their password when they first log in.
`passwords.default.policy.check.syntax`	false	The password is checked for specific words, length rules, and required character patterns.
`passwords.default.policy.expireable`	false	Passwords expire after a set amount of time.
`passwords.default.policy.grace.limit`	0	Specifies the number of logins allowed after the password has expired.
`passwords.default.policy.history`	false	Keep a history of the user’s passwords and prevent them from reusing a previous password.
`passwords.default.policy.history.count`	6	Determines the number of previous passwords to keep in the history.
`passwords.default.policy.lockout`	false	Users can attempt to log in a certain number of times before their accounts are locked.
`passwords.default.policy.lockout.duration`	0	Specifies the amount of time that a user’s account remains locked. A value of 0 means it can only be unlocked by an administrator. Time is in seconds.
`passwords.default.policy.max.age`	8640000	Determines how long a password is valid before it must be changed. Time is in seconds.
`passwords.default.policy.max.failure`	3	Specifies the maximum number of login attempts with the wrong password.
`passwords.default.policy.min.age`	0	Determines how long users must wait before changing their passwords. Time is in seconds.
`passwords.default.policy.min.alphanumeric`	0	Specifies the minimum number of alphanumeric letters required in the password.
`passwords.default.policy.min.length`	6	Specifies the minimum length required of the user’s password.
`passwords.default.policy.min.lowercase`	0	Specifies the minimum number of lower case letters required in the password.
`passwords.default.policy.min.numbers`	1	Specifies the minimum number of numbers required in the password.
`passwords.default.policy.min.symbols`	0	Specifies the minimum number of symbols required in the password.
`passwords.default.policy.min.uppercase`	1	Specifies the minimum number of uppercase letters required in the password.
`passwords.default.policy.name`	Default Password Policy	Specifies the password policy name.
`passwords.default.policy.regex`	(?=.{4})(?:[a-zA-Z0-9]*)	If using the `RegExpToolkit` to generate passwords, this sets the regular expression pattern for generating and validating passwords.
`passwords.default.policy.reset.failure.count`	600	Specifies how long a record of failed logins is kept. Time is in seconds.
`passwords.default.policy.reset.ticket.max.age`	86400	Specifies the validity of a password reset link in seconds. Liferay DXP 2023.Q4+/Portal GA98+: It also applies to new account password setup links.
`passwords.default.policy.warning.time`	86400	Specifies how long before password expiration users are notified. Time is in seconds.

Configuring Sign-In

Capability:

Security

Resource Type:

Official Documentation

Feature:

User, Organization, and Account Management

Deployment Approach:

Liferay PaaS

Liferay SaaS

Liferay Self-Hosted