4.22. Configuring a Password Policy#
This topic describes how to configure a password policy in your instance of Open edX.
By default, Open edX imposes a minimal password complexity policy for all users who log in to the LMS or Studio. Under the default password complexity policy, passwords must contain 2 to 75 characters and cannot be similar to the user’s username or email address.
Open edX does not store plain-text passwords, only hashes. Since the length of a hash is independent of the length of the original password, passwords can effectively be of unlimited length. The 75-character default limit is rather arbitrary. Open edX does impose an upper limit of 5,000 characters on a password, but this should be well beyond the practical limit of password length.
This password policy is defined in the
lms.yml configuration file,
AUTH_PASSWORD_VALIDATORS: - NAME: django.contrib.auth.password_validation.UserAttributeSimilarityValidator - NAME: common.djangoapps.util.password_policy_validators.MinimumLengthValidator OPTIONS: min_length: 2 - NAME: common.djangoapps.util.password_policy_validators.MaximumLengthValidator OPTIONS: max_length: 75
You can override these settings by modifying one of the existing
OPTIONS. For example, if you want to enforce a minimum password
length of 16 characters, and a maximum length of 256,
you would set:
AUTH_PASSWORD_VALIDATORS: - NAME: django.contrib.auth.password_validation.UserAttributeSimilarityValidator - NAME: common.djangoapps.util.password_policy_validators.MinimumLengthValidator OPTIONS: min_length: 16 - NAME: common.djangoapps.util.password_policy_validators.MaximumLengthValidator OPTIONS: max_length: 256
If your Open edX configuration enables third-party
authentication, the maximum
value you can specify for the
min_length option is 25.
You can also substitute your own password policy for the default policy. To configure a password policy in replacement of the default password policy, follow these steps.
Create or import a new password validator. This is a Python class that defines how a password is validated. For details about writing a password validator class, see Creating a Password Validator.
Add your password validator to the list in the
AUTH_PASSWORD_VALIDATORSconfiguration key in the
lms.ymlconfiguration file. For details, see Configuring a Password Validator.
An Open edX password validator is a Python class that specifies how user
passwords are validated. You can use whatever criteria you choose to establish
a password policy for your Open edX instance. You can create your own custom
password validator, or import one or more password validators from
password_policy_validators in the
edx-platform repository on GitHub.
Those password validators include minimum length, maximum length, user
attribute similarity, minimum alphabetic, minimum numeric, minimum uppercase,
minimum lowercase, minimum punctuation, and minimum symbols. For more
information, see also the Django password validation documentation.
To configure your Open edX instance to use a particular password validator,
add your password validator to the list in the
configuration key in the
lms.yml configuration file. For example, to
add a password validator named
MyPasswordValidator, add a line like this
lms.yml configuration file.
AUTH_PASSWORD_VALIDATORS: - NAME: path.to.module.MyPasswordValidatorClass