About password policies
Set a password policy to help ensure that the people accessing your Atlassian Cloud products are using best practices when creating passwords. A password policy allows an organization admin to require that all of their managed users meet a minimum password strength and/or password expiry period.
As an Atlassian Cloud admin, there are a couple of things you need to have done before you can apply a password policy to your user's Atlassian accounts:
- Created an organization – see Organization administration.
- Verified one or more domains, to confirm you own those – see Domain verification. When you verify a domain, all the Atlassian accounts that use email addresses from the verified domain become managed by your organization. Your managed accounts are the accounts that your password policy will apply to.
- Subscribed to Atlassian Access.
- A password policy applies to Atlassian accounts, not to sites or products. Your organization password policy applies to your managed accounts even if users log in to an Atlassian Cloud product that doesn't belong to one of your verified domains.
- Because a password policy follows a user, anyone who logs in to one of your Atlassian Cloud products using an Atlassian account managed by another organization (not owned by you) will be subject to the password policy (if any) set by that managing organization.
- If you remove the password policy, you will still be subscribed to Atlassian Access. If you no longer wish to enforce security policies on your managed accounts, you can unsubscribe from Atlassian Access.
Set a password policy
A password policy applies to your managed accounts, that is, the Atlassian accounts that belong to the verified domains in your organization.
To set a password policy
Log in to admin.atlassian.com and choose your organization.
- Choose Password management.
- Set The password policy attributes are described below.
- When you're finished, click Update password policy.
Once enabled, your password policy will apply to your managed accounts when used to access the following Atlassian Cloud products:
Jira Service Desk - only for Atlassian account users from the verified domains of their organization. Jira Service Desk portal-only users that do not have Atlassian accounts (on the organization’s verified domains) are not covered by the password policy.
Minimum password strength
You can choose the minimum strength that all passwords should comply with. Note that Atlassian account uses an entropy score to evaluate password strength so there aren't simple rules, however these examples give some guidance:
See our tips for strong passwords below.
By default, passwords do not expire. However, you can set an expiry period if required, just add the numbers of days you want your password to expire by.
Choose when to apply changes
Once the administrator has selected the password strength and/or password expiry period, they have the ability to save and apply their password policy either immediately or the next time a user changes or sets their password.
- Immediately – users will be logged out their current session and will need to set a new password at next log in regardless of whether their existing password already met the new password policy
- Next time user changes their password – their current session will not be terminated, but they will be prompted to set a new password at next log in.
If you change the password strength and want the changes to take effect on next log in, you will need to reset all users' passwords.
If anyone has chosen the
Keep me logged in option on the site login screen, they'll be forced to update their password after their login period expires (every 30 days).
Tips for setting strong passwords
Need to give your users some tips on how to set strong passwords? Try these:
- Avoid patterns. Consecutive letters (either alphabetical or on the keyboard) and numbers
- Avoid replacing letters with similar numbers or symbols (example 3 for e or $ for s)
- Avoid short passwords. Lots of unrelated english words are hard to guess, but a single word and a single number is very easy for an attacker to break.
- Use a password manager to generate long/random passwords
- Use lots of 'parts' to your password, which can make it hard to crack and easier to remember. Four unrelated english words is very strong (correcthorsebatterystaple), as is a combination of words and random numbers (tape934elephant%*Pass