Password Policies
Organization admins can enforce password complexity and expiration requirements to enhance account security.
Configure Password Policies
Update your organization's password requirements.
curl -X PATCH https://api.entryguard.io/api/v1/organization/settings \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"passwordMinLength": 12,
"passwordRequireUppercase": true,
"passwordRequireLowercase": true,
"passwordRequireDigit": true,
"passwordRequireSpecialChar": true,
"passwordExpirationDays": 90
}'
Policy Options
Password Complexity
| Field | Type | Default | Description |
|---|---|---|---|
passwordMinLength | Integer | 8 | Minimum password length (8-128 characters) |
passwordRequireUppercase | Boolean | true | Require at least one uppercase letter (A-Z) |
passwordRequireLowercase | Boolean | true | Require at least one lowercase letter (a-z) |
passwordRequireDigit | Boolean | true | Require at least one digit (0-9) |
passwordRequireSpecialChar | Boolean | false | Require at least one special character (!@#$%^&*) |
Password Expiration
| Field | Type | Default | Description |
|---|---|---|---|
passwordExpirationDays | Integer | null | Number of days before passwords expire (null = never) |
Example Response:
{
"id": "880e8400-e29b-41d4-a716-446655440003",
"name": "Acme Corp",
"subscriptionTier": "PAID",
"mfaRequired": true,
"passwordMinLength": 12,
"passwordRequireUppercase": true,
"passwordRequireLowercase": true,
"passwordRequireDigit": true,
"passwordRequireSpecialChar": true,
"passwordExpirationDays": 90
}
Password Validation
Password policies are enforced when:
- New users register
- Users change their password
- Admins reset user passwords
Invalid passwords will be rejected with a 400 Bad Request error describing which requirements are not met.
Password Expiration Flow
When passwordExpirationDays is set:
- Passwords expire after the configured number of days
- Users with expired passwords receive
passwordExpired: truein the login response - Users must change their password via
POST /auth/change-expired-passwordbefore accessing the system
Login with Expired Password
curl -X POST https://api.entryguard.io/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]",
"password": "oldPassword123"
}'
Response:
{
"userId": "770e8400-e29b-41d4-a716-446655440002",
"passwordExpired": true
}
Change Expired Password
curl -X POST https://api.entryguard.io/api/v1/auth/change-expired-password \
-H "Content-Type: application/json" \
-d '{
"userId": "770e8400-e29b-41d4-a716-446655440002",
"oldPassword": "oldPassword123",
"newPassword": "NewSecureP@ssw0rd!"
}'
Response:
{
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refreshToken": "550e8400-e29b-41d4-a716-446655440000",
"expiresIn": 3600
}
The user can now log in with their new password.
Disabling Password Expiration
To remove password expiration, set passwordExpirationDays to null:
curl -X PATCH https://api.entryguard.io/api/v1/organization/settings \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"passwordExpirationDays": null
}'
Best Practices
- Minimum Length: Use at least 12 characters for strong passwords
- Complexity: Require uppercase, lowercase, digits, and special characters
- Expiration: Set to 90 days for compliance-sensitive environments
- MFA: Combine password policies with MFA enforcement for maximum security