habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6ab645e0f74b45b317ca27f57a1f029928fc486f
authentik/website/docs/customize/policies/unique_password.md
Tana M Berry a06645d558 website/docs: remove support badge (#14343) 
removed support badge1

Co-authored-by: Tana M Berry <tana@goauthentik.io>
2025-05-02 18:15:20 +00:00

46 lines
2.5 KiB
Markdown
Raw Blame History

---
title: Password Uniqueness Policy
sidebar_label: Password Uniqueness Policy
tags:
- policy
- password
- security
- enterprise
authentik_version: "2025.4.0"
authentik_enterprise: true
---
The Password Uniqueness policy prevents users from reusing their previous passwords when setting a new password. To use this feature, you will need to create a Password Uniqueness policy, using the instructions below.
## How it works
This policy maintains a record of previously used passwords for each user. When a new password is created, it is compared against this historical log. If a match is found with any previous password, the policy is not met, and the user is required to choose a different password.
The password history is maintained automatically when this policy is in use. Old password hashes are stored securely in authentik's database.
:::info
This policy takes effect after the first password change following policy activation. Before that first change, there's no password history data to compare against.
:::
## Integration with other policies
For comprehensive password security, consider using this policy alongside:
- [Password Policy](./index.md#password-policy) - To enforce password complexity rules
- [Password-Expiry Policy](./index.md#password-expiry-policy) - To enforce regular password rotation
## Implement a Password Uniqueness policy
To implement a policy that prevents users from reusing their previous passwords, follow these steps:
1. In the Admin interface, navigate to **Customization** > **Policies**.
2. Click **Create** to define a new Password Uniqueness Policy.
- **Name**: provide a descriptive name for the policy.
- **Password field**: enter the name of the input field to check for the new password. By default, if no custom flows are used, the field name is `password`. This field name must match the field name used in your Prompt stage.
- **Number of previous passwords to check**: enter the number of past passwords that you want to set as the number of previous passwords that are checked and stored for each user, with a default of 1. For instance, if set to 3, users will not be able to reuse any of their last 3 passwords.
3. Bind the policy to your **password prompt stage**: For example, if you're using the `default-password-change` flow, edit the `default-password-change-prompt` stage and add the policy in the **Validation Policies** section.
:::info
Password history records are stored securely and cannot be used to reconstruct original passwords.
:::
Reference in New Issue View Git Blame Copy Permalink