A password policy helps ensure that people accessing your Atlassian cloud products are using best practices when creating passwords. As an organization admin, you can use a password policy to require all of your managed users to meet a minimum password strength or set a password expiration period.
By default if you don't set a password policy, Atlassian accounts are required to have a password length of 8 to 100 characters.
Before you can set a password policy, verify one or more domains. When you verify a domain, all the Atlassian accounts that use email addresses from the domain become managed by your organization. See Verify a domain for your organization.
Because a password policy only applies to your managed accounts:
Your password policy applies even if your managed users log in to another organization’s Atlassian cloud product.
Your password policy won’t apply to users with domains not verified by your organization when they access your Atlassian cloud products.
Set password requirements with authentication policies
Authentication policies give you the flexibility to configure multiple password requirements for different sets of users within your organization. Authentication policies also reduce risk by giving you the ability to test different password requirements for subsets of users before rolling them out to your whole company.
When you configure authentication policies, you can set your password requirements in the authentication policy.
To set password requirements in an authentication policy:
Navigate to Authentication Policies at admin.atlassian.com.
Select Edit for the policy you want to modify.
On the Settings page, select Password Strength and Expiration.
If you enforce single sign-on, you can only set up password requirements in your identity provider and not in your authentication policy. Learn more about authentication policies.
Set a password policy
A password policy applies to your managed accounts, that is, the Atlassian accounts that belong to the verified domains in your organization.
To set a password policy
- From your organization at admin.atlassian.com,select Security and then Password management.
- Set The password policy attributes are described below.
- When you're finished, click Update password policy.
Once enabled, your password policy will apply to your managed accounts when used to access the following Atlassian cloud products:
Jira Service Management - only for Atlassian account users from the verified domains of their organization. Jira Service Management portal-only users that do not have Atlassian accounts (on the organization’s verified domains) are not covered by the password policy.
Minimum password strength
You can choose the minimum strength that all passwords should comply with. Note that Atlassian account uses an entropy score to evaluate password strength so there aren't simple rules, however these examples give some guidance:
See our tips for strong passwords below.
By default, passwords do not expire. However, you can set an expiry period if required, just add the numbers of days you want your password to expire by.
Choose when to apply changes
Once the administrator has selected the password strength and/or password expiry period, they have the ability to save and apply their password policy either immediately or the next time a user changes or sets their password.
- Immediately – users will be logged out their current session and will need to set a new password at next log in regardless of whether their existing password already met the new password policy
- Next time user changes their password – their current session will not be terminated, but they will be prompted to set a new password at next log in.
If you change the password strength and want the changes to take effect on next log in, you will need to reset all users' passwords.
Tips for setting strong passwords
Need to give your users some tips on how to set strong passwords? Try these:
- Avoid patterns. Consecutive letters (either alphabetical or on the keyboard) and numbers
- Avoid replacing letters with similar numbers or symbols (example 3 for e or $ for s)
- Avoid short passwords. Lots of unrelated english words are hard to guess, but a single word and a single number is very easy for an attacker to break.
- Use a password manager to generate long/random passwords
- Use lots of 'parts' to your password, which can make it hard to crack and easier to remember. Four unrelated english words is very strong (correcthorsebatterystaple), as is a combination of words and random numbers (tape934elephant%*Pass