habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
767c0a8e45872e59db622c713b6233a96e1e9c92
authentik/website/docs/customize/policies/unique_password.md
Tana M Berry a06645d558 website/docs: remove support badge (#14343) 
removed support badge1

Co-authored-by: Tana M Berry <tana@goauthentik.io>
2025-05-02 18:15:20 +00:00

2.5 KiB
Raw Blame History

title, sidebar_label, tags, authentik_version, authentik_enterprise
title sidebar_label tags authentik_version authentik_enterprise
Password Uniqueness Policy Password Uniqueness Policy
policy
password
security
enterprise
2025.4.0 true

The Password Uniqueness policy prevents users from reusing their previous passwords when setting a new password. To use this feature, you will need to create a Password Uniqueness policy, using the instructions below.

How it works

This policy maintains a record of previously used passwords for each user. When a new password is created, it is compared against this historical log. If a match is found with any previous password, the policy is not met, and the user is required to choose a different password.

The password history is maintained automatically when this policy is in use. Old password hashes are stored securely in authentik's database.

:::info This policy takes effect after the first password change following policy activation. Before that first change, there's no password history data to compare against. :::

Integration with other policies

For comprehensive password security, consider using this policy alongside:

Implement a Password Uniqueness policy

To implement a policy that prevents users from reusing their previous passwords, follow these steps:

  1. In the Admin interface, navigate to Customization > Policies.
  2. Click Create to define a new Password Uniqueness Policy.
    • Name: provide a descriptive name for the policy.
    • Password field: enter the name of the input field to check for the new password. By default, if no custom flows are used, the field name is password. This field name must match the field name used in your Prompt stage.
    • Number of previous passwords to check: enter the number of past passwords that you want to set as the number of previous passwords that are checked and stored for each user, with a default of 1. For instance, if set to 3, users will not be able to reuse any of their last 3 passwords.
  3. Bind the policy to your password prompt stage: For example, if you're using the default-password-change flow, edit the default-password-change-prompt stage and add the policy in the Validation Policies section.

:::info Password history records are stored securely and cannot be used to reconstruct original passwords. :::