[Yandex Cloud documentation](../../../index.md) > [Yandex Identity Hub](../../index.md) > [Step-by-step guides](../index.md) > Managing user pools > Setting up a password policy

# Setting up a password policy


To set up a [password policy](../../concepts/password-policy.md):

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization) using an administrator or organization owner account.
  1. In the left-hand panel, click ![userpool](../../../_assets/organization/userpool.svg) **User pools** and select the user pool.
  1. On the **Overview** tab, click **Password policy** ![chevron-down](../../../_assets/console-icons/chevron-down.svg) and select ![gear](../../../_assets/console-icons/gear.svg) **Set password policy**.
  1. Under **Password complexity**, specify the character class settings for the password:

     * **Custom**: Configure the minimum length depending on the number of character classes used in the password:
 
       * One class (`abc`)
       * Two classes (`aBc`)
       * Three classes (`aBc1`)
       * Four classes (`aB#c1`)
       
       This is the preferred option because it does not require particular characters and allows users to create more memorable yet strong passwords.
 
     * **Required**: Select the character types for the password by activating the following options:

       * **Lowercase Latin letters**
       * **Uppercase Latin letters**
       * **Digits**
       * **Special characters, e.g., `!@#$%^&*`**

       In the **Minimum length** field, specify the minimum number of characters in the password but not less than seven.
       
  1. Optionally, under **Password uniqueness**, in the **Password verification** field, enable **You cannot use passwords included in the database of common passwords**. This will protect users from using passwords that can be easily guessed using a dictionary.
  1. Under **Password lifetime**, set the minimum and maximum password lifetime (up to 730 days) or select **Unlimited**.
  1. Under **Brute force protection**, specify:
     * **Number of failed password attempts before lockout**: From 1 to 100.
     * **Failed attempt interval** in minutes or seconds.
     * **Lockout duration** in minutes or seconds.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the [CLI](../../../cli/index.md) command for updating a user pool:

     ```bash
     yc organization-manager idp userpool update --help
     ```

  1. Getting a list of user pools in the organization:

     ```bash
     yc organization-manager idp userpool list \
       --organization-id <organization_ID>
     ```

  1. Set up a password policy for the user pool:

     ```bash
     yc organization-manager idp userpool update <pool_ID> \
       --password-smart-one-class <minimum_length_for_1_class> \
       --password-smart-two-classes <minimum_length_for_2_classes> \
       --password-smart-three-classes <minimum_length_for_3_classes> \
       --password-smart-four-classes <minimum_length_for_4_classes> \
       --password-allow-similar \
       --password-match-length <match_substring_length> \
       --password-max-length <maximum_password_length> \
       --password-blacklist-check-common \
       --password-min-days <minimum_lifetime_in_days> \
       --password-max-days <maximum_lifetime_in_days> \
       --bruteforce-attempts <number_of_attempts> \
       --bruteforce-window <count_interval> \
       --bruteforce-block <lockout_duration>
     ```

     Where:

     * To configure custom character types (smart policy):
       * `--password-smart-one-class`: Minimum password length if using one character class (e.g., lowercase letters only).
       * `--password-smart-two-classes`: Minimum password length if using two character classes (e.g., lowercase and uppercase letters).
       * `--password-smart-three-classes`: Minimum password length if using three character classes (e.g., letters and numbers).
       * `--password-smart-four-classes`: Minimum password length if using four character classes (letters, numbers, and special characters).

     * To configure required character types (fixed policy):
       * `--password-fixed-min-length`: Minimum password length (at least 7 characters).
       * `--password-fixed-lowers-required`: Require lowercase letters.
       * `--password-fixed-uppers-required`: Require uppercase letters.
       * `--password-fixed-digits-required`: Require numbers.
       * `--password-fixed-specials-required`: Require special characters.

     * `--password-allow-similar`: Allow passwords similar to those used earlier. If the flag is not set, you cannot use similar passwords.
     * `--password-match-length`: Minimum substring length for a similarity check with vulnerable sequences.
     * `--password-max-length`: Maximum password length. If `0`, there is no limit.
     * `--password-blacklist-check-common`: Checks the password against the database of common passwords. If the flag is not set, the check is disabled.
     * `--password-min-days`: Minimum number of days before the password should be changed.
     * `--password-max-days`: Maximum number of days the password remains valid (up to 730 days). If `0`, passwords do not expire.
     * `--bruteforce-attempts`: Number of wrong password entries before lockout (1 to 100).
     * `--bruteforce-window`: Interval for counting wrong entries (e.g., `10m` for 10 minutes or `600s` for 600 seconds).
     * `--bruteforce-block`: Lockout duration after exceeding the wrong entry limit (e.g., `10m` or `600s`).

     Example of a command for setting up a password policy:

     {% list tabs group=examples %}

     - With custom character types {#smart}

       ```bash
       yc organization-manager idp userpool update fpd9mu9gqq12******** \
         --password-smart-one-class 24 \
         --password-smart-two-classes 14 \
         --password-smart-three-classes 11 \
         --password-smart-four-classes 10 \
         --password-max-length 128 \
         --password-max-days 365 \
         --bruteforce-attempts 15 \
         --bruteforce-window 10m \
         --bruteforce-block 10m \
         --password-blacklist-check-common true
       ```

     - With required character types {#fixed}

       ```bash
       yc organization-manager idp userpool update fpd9mu9gqq12******** \
         --password-fixed-min-length 8 \
         --password-fixed-lowers-required \
         --password-fixed-uppers-required \
         --password-fixed-digits-required \
         --password-max-length 128 \
         --password-max-days 365 \
         --bruteforce-attempts 15 \
         --bruteforce-window 10m \
         --bruteforce-block 10m \
         --password-blacklist-check-common true
       ```
     {% endlist %}

  For more information about the `yc organization-manager idp userpool update` command, see the [CLI reference](../../cli-ref/idp/userpool/update.md).

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the relevant documentation on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.

  For more information about Terraform, see [this guide](../../../tutorials/infrastructure-management/terraform-quickstart.md).

  1. Create a configuration file with the user pool and password policy settings:

     ```hcl
     resource "yandex_organizationmanager_idp_userpool" "my_userpool" {
       name              = "<pool_name>"
       organization_id   = "<organization_ID>"
       default_subdomain = "<subdomain>"
       description       = "<pool_description>"

       password_quality_policy = {
         allow_similar   = true
         max_length      = 128
         match_length    = 4

         # Use either `smart` or `fixed`
         # Configuring custom character types
         smart = {
           one_class     = 24
           two_classes   = 14
           three_classes = 11
           four_classes  = 10
         }

         # Configuring required character types
         fixed = {
           min_length        = 8
           lowers_required   = true
           uppers_required   = true
           digits_required   = true
           specials_required = false
         }
       }

       password_blacklist_policy = {
         check_common = true
       }

       password_lifetime_policy = {
         min_days_count = 0
         max_days_count = 365
       }

       bruteforce_protection_policy = {
         attempts = 15
         window   = "10m"
         block    = "10m"
       }
     }
     ```

     Where:

     * `name`: User pool name.
     * `organization_id`: Organization ID.
     * `default_subdomain`: Default subdomain for the pool.
     * `description`: User pool description.
     * `password_quality_policy`: Password complexity settings:

       * `allow_similar`: Allow passwords similar to those used earlier.
       * `max_length`: Maximum password length. If `0`, there is no limit.
       * `match_length`: Minimum substring length for a similarity check with vulnerable sequences.

       Use either `smart` or `fixed`.
       * `smart`: Configuring custom character types (minimum length depends on how many classes are used).
         * `one_class`: Minimum password length if using one character class (e.g., lowercase letters only).
         * `two_classes`: Minimum length of a password with two character classes (e.g., lowercase and uppercase letters).
         * `three_classes`: Minimum password length if using three character classes (e.g., letters and numbers).
         * `four_classes`: Minimum password length if using four character classes (letters, numbers, and special characters).

       * `fixed`: Configuring required character types (use instead of `smart`).
         * `min_length`: Minimum password length (at least 7 characters).
         * `lowers_required`: Require lowercase letters.
         * `uppers_required`: Require uppercase letters.
         * `digits_required`: Require numbers.
         * `specials_required`: Require special characters.

     * `password_blacklist_policy`: Password uniqueness setup.
       * `check_common`: Ban passwords from the common passwords database. The default value is `false`.

     * `password_lifetime_policy`: Password lifetime settings.
       * `min_days_count`: Minimum number of days before the password should be changed.
       * `max_days_count`: Maximum number of days the password remains valid (up to 730 days). If `0`, passwords do not expire.

     * `bruteforce_protection_policy`: Settings for protection against password guessing.
       * `attempts`: Number of wrong password entries before lockout (1 to 100).
       * `window`: Interval for counting wrong entries (e.g., `10m` for 10 minutes or `600s` for 600 seconds).
       * `block`: Lockout duration after exceeding the wrong entry limit (e.g., `10m` or `600s`).

     For more information about `yandex_organizationmanager_idp_userpool` properties, see [this provider guide](../../../terraform/resources/organizationmanager_idp_userpool.md).

  1. Create the resources:

     1. In the terminal, navigate to the configuration file directory.
     1. Make sure the configuration is correct using this command:
     
        ```bash
        terraform validate
        ```
     
        If the configuration is valid, you will get this message:
     
        ```bash
        Success! The configuration is valid.
        ```
     
     1. Run this command:
     
        ```bash
        terraform plan
        ```
     
        You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
     1. Apply the configuration changes:
     
        ```bash
        terraform apply
        ```
     
     1. Type `yes` and press **Enter** to confirm the changes.

  This will create a user pool subject to your password policy in the specified organization. You can check the new pool and its settings using the [Cloud Center UI](https://center.yandex.cloud/organization) or this CLI command:

  ```bash
  yc organization-manager idp userpool get <pool_ID>
  ```

- API {#api}

  Use the [update](../../idp/api-ref/Userpool/update.md) REST API method for the [Userpool](../../idp/api-ref/Userpool/index.md) resource or the [UserpoolService/Update](../../idp/api-ref/grpc/Userpool/update.md) gRPC API call.

{% endlist %}

{% note info %}

A password policy only applies to passwords set by users. It does not apply to automatically generated passwords.

{% endnote %}