[Yandex Cloud documentation](../../index.md) > [Yandex Identity Hub](../index.md) > Concepts > Password policy

# Password policy


A _password policy_ brings together rules on creating and updating passwords for [pool](user-pools.md) users.

## Password policy settings {#settings}

{% note info %}

A password policy only applies to passwords set by users. It does not apply to automatically generated passwords.

{% endnote %}

Users with an administrator or organization owner account have access to [password policy settings](../operations/user-pools/set-password-policy.md).

### Password complexity {#complexity}

There are two available password complexity options:

* **Any character types**: Minimum length depends on the number of character types used in a password. For example, for a password made up of lowercase and uppercase letters, you can set the length of 14 characters, and for a more complex one, 10 characters.

  This is the preferred option because it does not require particular characters and allows users to create passwords that are stronger yet easier to remember.

* **Required character types**: Password must contain all specified character types and meet the required length. You can specify the following types of characters:

  * Lowercase letters
  * Uppercase letters
  * Numbers
  * Special characters, e.g., `!@#$%^&*`

### Password uniqueness {#uniqueness}

The password can be checked against the database of common passwords. If a user tries to set such a password, the system will reject it: these are easily guessed by attackers.

### Password lifetime {#lifetime}

Password lifetime is the period of time after which users will have to update their passwords. You can specify a lifetime of up to 730 days or set no limit.

### Protection against password guessing {#protection}

To configure protection against password guessing, you can use the following settings:

* Number of wrong password entries before lockout: 1 to 100.
* Interval for counting wrong entries in minutes or seconds.
* Lockout duration in minutes or seconds.

## Default password policy {#default-policy}

When you create a user pool, it is assigned the following default password policy:

* Minimum password length for character types used in the password:
  * 4 types: 10
  * 3 types: 11
  * 2 types: 24
* Minimum password lifetime: Unlimited.
* Maximum password lifetime: 365 days.
* Password check against the database of common passwords is on.
* Number of wrong password entries before lockout: 15.
* Interval for counting wrong entries: 10 minutes.
* Lockout duration: 10 minutes.