Password Policies
Configure password requirements for local users
What Password Policies Control
Password policies define the rules for local user passwords - their complexity, length, how often they expire, and whether they can be reused. These settings are configured at the group level.
External users: If your users authenticate against Active Directory, LDAP, or another external identity provider, their passwords are governed by that system's policies - not Warden's. Password policies here only apply to local Warden users.
Policy Settings
Minimum Length
The minimum number of characters required. Modern recommendations suggest at least 12 characters, with 14+ being even better. Longer passwords are exponentially harder to crack.
Character Requirements
You can require uppercase letters, lowercase letters, numbers, and special characters. While complexity helps, length matters more - a 16-character passphrase is often stronger than an 8-character complex password.
Password Expiration
How many days until passwords must be changed. Set to 0 to never expire. Note that NIST guidelines now recommend against forced periodic changes unless there's evidence of compromise.
Password History
How many previous passwords to remember and prevent reuse. This stops users from cycling back to the same password after a forced change.
Modern Password Guidance (NIST 800-63B)
Password security recommendations have evolved. Here's what current best practices suggest:
Do
- Require minimum 12+ characters
- Allow passphrases (spaces and common words)
- Check passwords against known breach databases
- Enable multi-factor authentication
- Allow all printable characters
- Support password managers (allow paste)
Avoid
- Arbitrary complexity rules that frustrate users
- Forced periodic password changes
- Security questions
- Password hints
- Maximum password length limits
- Truncating passwords
The key insight: Users forced to frequently change complex passwords often create weaker ones and write them down. A long, easy-to-remember passphrase combined with 2FA provides better security with less user friction.
Sample Policies
Standard Security
A balanced policy for most organizations:
High Security
For sensitive systems or compliance requirements:
Important: High security policies should always be paired with mandatory 2FA. The password alone shouldn't be the only authentication factor.
Contractor/Temporary
For short-term accounts:
Password Expiration Handling
When a password expires, what happens depends on your authentication method:
RADIUS Authentication
Warden can return an Access-Challenge prompting the user to change their password. However, most network devices don't support this flow. Instead, they'll see an authentication failure.
Workaround: Enable email notifications to warn users before expiration, and provide a self-service portal for password changes.
LDAP Authentication
LDAP clients typically handle password expiration gracefully. The user will be prompted to change their password as part of the bind operation.
Combining with 2FA
Password policies work hand-in-hand with two-factor authentication. In fact, modern security guidance suggests that strong 2FA can compensate for simpler password requirements:
- With 2FA required, you might relax complexity rules to improve user experience
- Without 2FA, stricter password requirements become more important
- Consider requiring 2FA for groups with access to sensitive resources
See our Two-Factor Authentication guide for setup instructions.
What's Next?
- Configure group settings including password policies
- Set up two-factor authentication
- Review authentication logs