If you recently noticed a change in your authentication settings
Beginning the week of March 15th, we started migrating password management and other settings to your new authentication policies. Learn about what's changed

On this page, we refer to password policy settings as either password management or requirements.

When you set a password policy, it ensures that people accessing your Atlassian cloud products use best practices when creating passwords. As an organization admin, you can require all of your managed users to meet a minimum password strength, or you can set a password expiration period.

If you don't set password strength, Atlassian accounts must have a password length of 8 to 100 characters.

Before you can set a password policy, you need to verify one or more domains. When you verify a domain, all the Atlassian accounts that use email addresses from the domain become managed by your organization. Learn how to verify a domain for your organization.

Password requirements apply even if your managed accounts log in to another organization’s Atlassian cloud product.

Set password requirements in authentication policies

You can find password requirements in your organization under Authentication policies.

If you don’t subscribe to Atlassian Access, you set password requirements in an authentication policy for all users. You need a subscription to Atlassian Access to take advantage of multiple authentication policies for subsets of users.

Multiple authentication policies give you the flexibility to configure password requirements for different sets of users within your organization. Authentication policies also reduce risk by giving you the ability to test different password requirements for subsets of users before rolling them out to your whole company.

To set password requirements in Authentication policies:

  1. Navigate to Authentication Policies at admin.atlassian.com.

  2. Select Edit for the policy you want to modify.

  3. On the Settings page, select Password Strength and Expiration.

  4. Next time the member logs in, we will prompt them to set a password using the new requirements.

If you enforce single sign-on, you can only set up password requirements in your identity provider and not in your authentication policy. Learn more about authentication policies.

Set a password policy

Password policies will apply to your managed accounts when used to access the following Atlassian cloud products:

  • Jira Software

  • Jira Work Management

  • Jira Service Management - only for Atlassian account users from the verified domains of their organization.

  • Jira Service Management portal - only for users that do not have Atlassian accounts (on the organization’s verified domains). Password requirements don’t apply to these users.

  • Confluence

  • Bitbucket

Minimum password strength

You can choose the minimum strength that all passwords should comply with. We use an entropy score to evaluate password strength, so there aren't simple rules. These examples give some guidance:

Password strengthExample
Very strongDFG65&fj90x

If you change the password strength and want the changes to take effect on next log in, you will need to reset all users' passwords.

Tips for setting strong passwords

  • Avoid patterns. Consecutive letters (either alphabetical or on the keyboard) and numbers

  • Avoid replacing letters with similar numbers or symbols (example 3 for e or $ for s)

  • Avoid short passwords. Using a single word and a single number is easy for an attacker to break

  • Use a password manager to generate long/random passwords

  • Use lots of 'parts' to your password, making it hard to crack and easier to remember. Four unrelated words make a strong password (correcthorsebatterystaple), so does making a combination of words and random numbers (tape934elephant%*Pass)

Password expiration

Passwords don’t expire unless you set an expiration period. You can add the number of days for the password to expire.