Password Policy for JIRA


The JIRA password policy enables JIRA Administrators to set limits and restrictions on the types of passwords their users can create. You can use this feature to create a more secure JIRA system for your company.

Note: The JIRA password policy is disabled by default. To turn it on and configure it, follow the instructions below. Also, this policy is only useful when JIRA users can change their own passwords. If JIRA is connected to an Active Directory, this policy should not be used.

Enabling the password policy

  1. Log in as a user with the JIRA Administrators global permission.
    Choose the cog icon  > System. Next, select Password Policy on the left.
    (tick) Keyboard shortcut: g + g + start typing password
    Select one of the following options:
    1. Disabled – The equivalent of having no password policy.
    2. Basic – Requires passwords to be at least 8 characters long and use at least 2 character types. Rejects passwords that are very similar to the previous password or the user's public information.
    3. Secure – Requires passwords to be at least 10 characters long and use at least 3 character types including at least 1 special character. Rejects passwords that are even slightly similar to the previous password or the user's public information.
    4. Custom – Lets you use your own settings.
  2. Configure the following fields:
    1. Password Length – Set a minimum and maximum length for your passwords.
      (info) Currently, you must set a maximum length if you enable the password policy and the maximum value allowed is 255.
    2. Character Variety – Use these fields to set requirements around the types of characters – uppercase letters, lowercase letters, special characters, and so on – that are required.
    3. Similarity Checks – See the section below for details on this feature.
  3. Click the Update button at the bottom of the screen when you are ready.

Similarity Checks

This is a system check to make sure that your users aren't creating a new password that is too similar to the current password, the user's name or email address. It can be set to Ignored, Lenient, or Strict.

What is the difference between lenient and strict?

  • Lenient checks for obvious similarities, like reversing the username or moving the front letter to the end.
  • Strict checks for more subtle variations, like mixing up the letters or adding just one new character. It also performs a character frequency analysis.

Password FAQ

Question: Why would you ever want a maximum password length?

Answer: Maybe you shouldn't, but you may want to do this for security or other reasons. For example, if you are using a writable external user directory, then that external directory may have its own restrictions on the maximum password length that it allows.

Question: What is Character Variety and why should I use this?

Answer: Character variety refers to the different types of characters you can create on a keyboard: lowercase letters, uppercase letters, numbers, and special characters. Requiring different character types makes passwords harder to guess, but it might also make them harder to remember. Use your best judgment when setting these fields, keeping in mind your company's requirements as well as your user base. 

Question: Does this policy affect existing passwords?

Answer: The policy is only enforced as passwords are changed; there is no way to detect whether or not existing passwords satisfy the policy or to force the users to update their passwords if the policy has been changed.  As a workaround, you can use this Crowd REST resource to forcibly change the users' passwords to something they won't know, thereby requiring them to reset it to get back in, and the password reset enforces the policy rules.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport