If you recently noticed a change in your authentication settings
On this page, we refer to password policy settings as either password management or requirements.
When you set a password policy, it ensures that people accessing your Atlassian cloud products use best practices when creating passwords. As an organization admin, you can require all of your managed users to meet a minimum password strength, or you can set a password expiration period.
If you don't set password strength, Atlassian accounts must have a password length of 8 to 100 characters.
Before you can set a password policy, you need to verify one or more domains. When you verify a domain, all the Atlassian accounts that use email addresses from the domain become managed by your organization. Learn how to verify a domain for your organization.
Password requirements apply even if your managed accounts log in to another organization’s Atlassian cloud product.
Set password requirements in authentication policies
You can find password requirements in your organization under Authentication policies.
If you don’t subscribe to Atlassian Access, you set password requirements in an authentication policy for all users. You need a subscription to Atlassian Access to take advantage of multiple authentication policies for subsets of users.
Multiple authentication policies give you the flexibility to configure password requirements for different sets of users within your organization. Authentication policies also reduce risk by giving you the ability to test different password requirements for subsets of users before rolling them out to your whole company.
To set password requirements in Authentication policies:
Navigate to Authentication Policies at admin.atlassian.com.
Select Edit for the policy you want to modify.
On the Settings page, select Password Strength and Expiration.
Next time the member logs in, we will prompt them to set a password using the new requirements.
If you enforce single sign-on, you can only set up password requirements in your identity provider and not in your authentication policy. Learn more about authentication policies.
Set a password policy
Password policies will apply to your managed accounts when used to access the following Atlassian cloud products:
Jira Work Management
Jira Service Management - only for Atlassian account users from the verified domains of their organization.
Jira Service Management portal - only for users that do not have Atlassian accounts (on the organization’s verified domains). Password requirements don’t apply to these users.
Minimum password strength
You can choose the minimum strength that all passwords should comply with. We use an entropy score to evaluate password strength, so there aren't simple rules. These examples give some guidance:
If you change the password strength and want the changes to take effect on next log in, you will need to reset all users' passwords.
Tips for setting strong passwords
Avoid patterns. Consecutive letters (either alphabetical or on the keyboard) and numbers
Avoid replacing letters with similar numbers or symbols (example 3 for e or $ for s)
Avoid short passwords. Using a single word and a single number is easy for an attacker to break
Use a password manager to generate long/random passwords
Use lots of 'parts' to your password, making it hard to crack and easier to remember. Four unrelated words make a strong password (correcthorsebatterystaple), so does making a combination of words and random numbers (tape934elephant%*Pass)
Passwords don’t expire unless you set an expiration period. You can add the number of days for the password to expire.