Password Policies

Overview

Trousseau enforces strict password policies for all users in the ecosystem. These policies apply during:

Your application does not need to implement any password validation: Trousseau handles it entirely.

Rule	Requirement	Details
Minimum length	10 characters	Enforced at input
Uppercase	At least 1 uppercase letter	A-Z
Lowercase	At least 1 lowercase letter	a-z
Digits	At least 1 digit	0-9
Symbols	At least 1 special character	``!@#$%^&*()_+-=[]
Strength check	zxcvbn score 3+	Rejects common patterns, keyboard walks, repeated characters
Breach check	Not in known breaches	Checked against Have I Been Pwned via k-anonymity API

Mechanism	Detail
Reputation scoring	IP address and username are scored. Repeated failures reduce the score.
Threshold	Score drops below -5 → authentication is blocked
Expiry	Reputation entries expire after 24 hours
Flow cancellation	After 5 consecutive failed attempts, the authentication flow is cancelled. The user must restart.

You don't validate passwords: Trousseau handles all password policies server-side
Users choose strong passwords: The zxcvbn check prevents weak passwords even if they meet the character requirements
Breached passwords are rejected: Users cannot reuse passwords that have appeared in known data breaches
Brute-force is mitigated: Repeated login failures are throttled automatically

Limitation	Detail
No password reuse prevention	Authentik Open Source does not support password history (Enterprise feature)
No client-side strength indicator	Password strength check runs server-side; errors are shown after form submission
No hard account lockout	Only flow cancellation and reputation scoring; the user can retry after the reputation expires

These limitations are inherent to the Authentik Open Source edition and may be addressed in future versions.