Password policies

Password policies with Atlassian Access

Password policies are available when you subscribe to Atlassian Access.

Atlassian Access enables company-wide visibility, security, and control across all your Atlassian Cloud products. Now there’s one place to manage your users and enforce security policies so your business can scale with confidence.

Read more about how to start with Atlassian Access.

About password policies

Atlassian Access provides password policies to help ensure that the people accessing your Atlassian Cloud products are using best practices when creating passwords. As an organization admin, you can use a password policy to require all of your managed users to meet a minimum password strength and/or password expiry period.

If you don't set a password policy with Atlassian Access, the password requirement for your users will be a password length of 8 - 100 characters.

As an Atlassian Cloud admin, there are a couple of things you need to have done before you can apply a password policy to your user's Atlassian accounts:

  1. Created an organization – see Organization administration.
  2. Verified one or more domains, to confirm you own those – see Domain verification. When you verify a domain, all the Atlassian accounts that use email addresses from the verified domain become managed by your organization. Your managed accounts are the accounts that your password policy will apply to.
  3. Subscribed to Atlassian Access.

Note that:

  • A password policy applies to Atlassian accounts, not to sites or products. Your organization password policy applies to your managed accounts even if users log in to an Atlassian Cloud product that doesn't belong to one of your verified domains. 
  • Because a password policy follows a user, anyone who logs in to one of your Atlassian Cloud products using an Atlassian account managed by another organization (not owned by you) will be subject to the password policy (if any) set by that managing organization.
  • If you remove the password policy, you will still be subscribed to Atlassian Access. If you no longer wish to enforce security policies on your managed accounts, you can unsubscribe from Atlassian Access.

Set a password policy

A password policy applies to your managed accounts, that is, the Atlassian accounts that belong to the verified domains in your organization.

To set a password policy
  1. Log in to and choose your organization.
  2. Choose Password management
  3. Set The password policy attributes are described below. 
  4. When you're finished, click Update password policy

Once enabled, your password policy will apply to your managed accounts when used to access the following Atlassian Cloud products:

  • Jira Software

  • Jira Core

  • Jira Service Desk - only for Atlassian account users from the verified domains of their organization. Jira Service Desk portal-only users that do not have Atlassian accounts (on the organization’s verified domains) are not covered by the password policy.

  • Confluence

  • Stride

  • Bitbucket

Minimum password strength

You can choose the minimum strength that all passwords should comply with. Note that Atlassian account uses an entropy score to evaluate password strength so there aren't simple rules, however these examples give some guidance:

Password strength Example
Weak asdf
Fair ryti*
Good ry2iy*Z
Strong qwe&8d&dj
Very strong DFG65&fj90x

See our tips for strong passwords below.

Password expiry

By default, passwords do not expire. However, you can set an expiry period if required, just add the numbers of days you want your password to expire by. 

Choose when to apply changes

Once the administrator has selected the password strength and/or password expiry period, they have the ability to save and apply their password policy either immediately or the next time a user changes or sets their password.

  • Immediately – users will be logged out their current session and will need to set a new password at next log in regardless of whether their existing password already met the new password policy
  • Next time user changes their password – their current session will not be terminated, but they will be prompted to set a new password at next log in. 

If you change the password strength and want the changes to take effect on next log in, you will need to reset all users' passwords.

If anyone has chosen the Keep me logged in option on the site login screen, they'll be forced to update their password after their login period expires (every 30 days).

Tips for setting strong passwords

Need to give your users some tips on how to set strong passwords? Try these:

  • Avoid patterns. Consecutive letters (either alphabetical or on the keyboard) and numbers
  • Avoid replacing letters with similar numbers or symbols (example 3 for e or $ for s)
  • Avoid short passwords. Lots of unrelated english words are hard to guess, but a single word and a single number is very easy for an attacker to break.
  • Use a password manager to generate long/random passwords
  • Use lots of 'parts' to your password, which can make it hard to crack and easier to remember. Four unrelated english words is very strong (correcthorsebatterystaple), as is a combination of words and random numbers (tape934elephant%*Pass
Last modified on Oct 31, 2018

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.