How can I enforce user password complexity?

For example, a password consists of letters, numbers, symbols.

I’m not sure I understand the premise of the question? To strengthen a password you would indeed include a mix of letters in different cases, numbers and symbols. Preferably random, and unique for each site/login.

A password manager is a useful tool as well.

This is general password advice though, and not specific to Discourse.

1 Like

Maybe you have misunderstood me. What I mean is that I created a discourse forum. When new users register, I need to restrict their passwords to three types

I can only adjust the length of the password from the system Settings

I think I see. You want to enforce users to have passwords that include a mix of letters, numbers, and symbols.

I’m afraid I don’t know of a way to do that currently.

1 Like

Well, thank you all the same

Is there anyone who can solve this problem?

I think these are the only settings:


Imho, this is a reasonable #feature request?

The downside of making passwords tougher to be acceptable is that you might exasperate users during sign-up and actually stop them completing it? The priority of this will surely vary by community?

@1378434153 another way of solving this might be to prevent local login and force a social/auth login which has a stronger regime.

Another thing to consider is forcing 2FA on all accounts.

1 Like

Thanks.But I don’t need two-factor authentication

But maybe your users need, or want? That should be the first priority, not yours need.

1 Like

Could you not mandate longer passwords and achieve the same thing?


It’s not a problem. Having arbitrary rules about what kinds of characters there are doesn’t help and just annoys users. Passwords are also checked against a known password database (or so I think I remember).

It is a good bet that the people who made up the rules about passwords have spent more time and energy researching best practices than most people have. I suggest you find something else to worry about.

If you want, for $250 to $1000 you can post in #marketplace and cd whatever rules you want imposed on your users.

1 Like

Industry best/recommended practices (such as championed by NIST) no longer recommending requiring “LUDS” (Lower + Upper + Digit + Symbol) or any other character class requirements. They have moved strictly to minimum length restrictions as a best practice. See for example this blog post from NIST from five years ago:

It summarizes changes in guidance, and to the best of my knowledge Discourse has implemented the recommended practices.


And there is another point too that quite often stays under radar — all of this are very anglo-centric things. What do you think… if and when I’m using short and quite easy password in finnish, in swedish, in german or actually using any other language than english, how fast a script/bot can break it?

Sure, that doesn’t help in the States, Canada, UK etc, but the world is much wider :wink: That is meaning one thing: everything is done because english speaking users are using passwords like password or qwerty :rofl: :man_facepalming:

But yes, I’m a little bit tired when an admin says I can’t use a password like ÄitiniMun because there is not several numbers or something else.

Too simple passwords aren’t issue. Using same email/password combination in several services is.

1 Like

NIST is definitely ahead of the curve on that one. The PCI-DSS for example only just went from 8 to 12 characters, and still demand alphanumeric passwords. :facepalm:


As said above by @Stephen and @mcdanlj, enforcing that isn’t the state of the art security practice anymore, so we do not require that.

However, if you want complete control over the login process of Discourse, you can delegate the authentication to a web service under your control by utilizing DiscourseConnect.


Okay, I get it. Maybe it’s not a reasonable request after all

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.