• Products
  • Documentation
  • Resources

Manage your password policy

Who can do this?
Role: Organization admin

On this page we refer to password policy settings as either password management or requirements.

Setting a password policy ensures that people accessing your Atlassian cloud products use best practices when creating passwords. As an organization admin, you can require all of your managed users to meet a minimum password strength, or you can set a password expiration period.

If you don't set password strength, Atlassian accounts must have a password length of 8 to 100 characters.

Before you can set a password requirements, you need to verify one or more domains. When you verify a domain, all the Atlassian accounts that use email addresses from the domain become managed by your organization. Learn how to verify a domain for your organization

Password requirements apply even if your managed accounts log in to another organization’s Atlassian cloud product.

Set password requirements in authentication policies

You can find password requirements in your organization under Understand authentication policies.

If you don't subscribe to Atlassian Access, you set password requirements in one authentication policy for all users. You need a subscription to Atlassian Access to take advantage of multiple authentication policies.

Multiple authentication policies give you the flexibility to configure password requirements for different sets of users within your organization. Authentication policies also reduce risk by allowing you to test different password requirements for subsets of users before rolling them out to your whole company.

To set password requirements in Authentication policies

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Security > Authentication policies.

  3. Select Edit for the policy you want to modify.

  4. On the Settings page, select Password Strength and Expiration.

  5. To apply password settings to the policy, select Update.

    1. Next time the member changes their password, we prompt them to set a new password.

  6. To apply password settings to members right away, select Reset Passwords.

    1. Next time the member logs in, we prompt them to set a new password.

Reset passwords in authentication policies

When you reset passwords, we log out all members from the policy in about ten minutes. Members need to change their passwords when they log in. We recommend you let your members know they may lose content when you reset their passwords.

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Security > Authentication policies.

  3. Select Edit for the policy you want to modify.

  4. Select Reset Passwords.

  5. Next time the member logs in, we prompt them to set a new password.

If you enforce single sign-on, you can only set up password requirements in your identity provider and not in your authentication policy. Learn more about authentication policies

Set a password policy

Password policies will apply to your managed accounts when used to access the following Atlassian cloud products:

  • Bitbucket

  • Confluence

  • Jira Core

  • Jira Software

  • Jira Service Management (for Atlassian account users with verified domains).

  • Trello

Portal-only accounts

You can’t create a password policy for Jira Service Management customers with portal-only accounts. These accounts must have a password between 8-100 characters in length. Learn more about portal-only accounts.

Minimum password strength

You can choose the minimum strength that all passwords should comply with. We use an entropy score to evaluate password strength, so there aren't simple rules. These examples give some guidance:

Password strength

Example

Weak

asdfghjk

Fair

asdfghj*

Good

ry2iyr*Z

Strong

qwe&8d&dj

Very strong

DFG65&fj90x

If you change the password strength and want the changes to take effect on the next log in, you need to reset passwords for all users.

Tips for setting strong passwords

  • Avoid patterns, consecutive letters and numbers.

  • Avoid replacing letters with similar numbers or symbols (example 3 for e or $ for s).

  • Avoid short passwords. Using a single word and a single number is easy for an attacker to break.

  • Use a password manager to generate long/random passwords.

  • Use lots of parts to your password that make it hard to crack and easier to remember. Four unrelated words make a strong password (eg. correcthorsebatterystaple), or a combination of words and random numbers (tape934elephant%*Pass)

Password expiration

Passwords don't expire unless you set an expiration period. You can add the number of days for passwords to expire.

 

Additional Help