4.23. Configuring a Password Policy

This topic describes how to configure a password policy in your instance of Open edX.

4.23.1. Overview

By default, Open edX imposes a minimal password complexity policy for all users who log in to the LMS or Studio. Under the default password complexity policy, passwords must contain 2 to 75 characters and cannot be similar to the user’s username or email address.

Note

Open edX does not store plain-text passwords, only hashes. Since the length of a hash is independent of the length of the original password, passwords can effectively be of unlimited length. The 75-character default limit is rather arbitrary. Open edX does impose an upper limit of 5,000 characters on a password, but this should be well beyond the practical limit of password length.

This password policy is defined in the lms.yml configuration file, under the AUTH_PASSWORD_VALIDATORS setting:

AUTH_PASSWORD_VALIDATORS:
-   NAME: django.contrib.auth.password_validation.UserAttributeSimilarityValidator
-   NAME: common.djangoapps.util.password_policy_validators.MinimumLengthValidator
      OPTIONS:
        min_length: 2
-   NAME: common.djangoapps.util.password_policy_validators.MaximumLengthValidator
      OPTIONS:
        max_length: 75

You can override these settings by modifying one of the existing OPTIONS. For example, if you want to enforce a minimum password length of 16 characters, and a maximum length of 256, you would set:

AUTH_PASSWORD_VALIDATORS:
-   NAME: django.contrib.auth.password_validation.UserAttributeSimilarityValidator
-   NAME: common.djangoapps.util.password_policy_validators.MinimumLengthValidator
      OPTIONS:
        min_length: 16
-   NAME: common.djangoapps.util.password_policy_validators.MaximumLengthValidator
      OPTIONS:
        max_length: 256

Warning

If your Open edX configuration enables third-party authentication, the maximum value you can specify for the MinimumLengthValidator’s min_length option is 25.

You can also substitute your own password policy for the default policy. To configure a password policy in replacement of the default password policy, follow these steps.

  1. Create or import a new password validator. This is a Python class that defines how a password is validated. For details about writing a password validator class, see Creating a Password Validator.

  2. Add your password validator to the list in the AUTH_PASSWORD_VALIDATORS configuration key in the lms.yml configuration file. For details, see Configuring a Password Validator.

4.23.2. Creating a Password Validator

An Open edX password validator is a Python class that specifies how user passwords are validated. You can use whatever criteria you choose to establish a password policy for your Open edX instance. You can create your own custom password validator, or import one or more password validators from password_policy_validators in the edx-platform repository on GitHub. Those password validators include minimum length, maximum length, user attribute similarity, minimum alphabetic, minimum numeric, minimum uppercase, minimum lowercase, minimum punctuation, and minimum symbols. For more information, see also the Django password validation documentation.

4.23.3. Configuring a Password Validator

To configure your Open edX instance to use a particular password validator, add your password validator to the list in the AUTH_PASSWORD_VALIDATORS configuration key in the lms.yml configuration file. For example, to add a password validator named MyPasswordValidator, add a line like this to the lms.yml configuration file.

AUTH_PASSWORD_VALIDATORS:
-   NAME: path.to.module.MyPasswordValidatorClass