Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Atlassian Cloud Password Policy

We subscribe to the Atlassian Cloud services and have JIRA and Confluence.  Although we've verified our domains, we don't subscribe (pay for) Atlassian Access - so we have no way of managing the password policy for managed user accounts.  Fine.  WHAT is the password policy that's enforced by default with you DON'T have Atlassian Access?  Our auditors are asking and I can't find anything in the documentation to tell me.

1 answer

1 accepted

1 vote
Answer accepted

Hi Matthew,

The standard password requirement is 8 to 100 characters. There are no constraints on character complexity.

You're completely correct that the documentation can't be found. I've opened a ticket internally and we're working on getting the documentation updated. Once the updated documentation is live, I'll post the link here.


Update: the password requirements are now documented on our Password Policies article.

I don't think it is 8 characters as someone from security did 4 characters and it was accepted?

Daniel Eads Atlassian Team Jul 16, 2019

Hey Sanjeev, welcome to the Community!

I've just tested password lengths of 1-7 characters and they all fail. Here's some proof of this in action, the failure with 6, increasing to 7, and still having it fail:test_create.gif


If you are currently subscribed to Atlassian Access, it's possible for your organization administrator to set a password strength requirement lower than what we require for unmanaged accounts. For example, setting a 'weak' policy would allow a user to select a password like 'n98k'. The fix for this is simply to require stronger passwords in your policy configuration!



Thank you for your answer Daniel.

But in the password policy you say that you use entropy score.

If we choose very strong option what is the minimum score used ?

in the exemple you show a password with 11 of lenght and 4 of complexity.

What happen if we want to set the min lenght to 12?



Daniel Eads Atlassian Team Oct 29, 2019

@Lionel SAMUEL we use the zxcvbn library to calculate the entropy. There's not so much a concept of length requirements for strength - instead it looks at the characters used (and subtracts common passwords plus some obvious no-no's like the username).

For lots of information about how zxcvbn calculates the score, check out this informative blog post. If the policy at your company sets a 12 character limit, I would recommend setting the complexity to "Strong" after reviewing how the score is calculated. As an alternative, you could use an Atlassian Access subscription to set up your accounts with SAML at another authentication provider (Okta, Azure AD, etc) where you may have more precise password policies available.


Like Steffen Opel _Utoolity_ likes this

Suggest an answer

Log in or Sign up to answer
Community showcase
Asked in Atlassian Account

Upcoming AMA with the Atlassian Identity Product Managers!

"Atlassian Account" is a space where you can raise questions about your Atlassian Account and your identity across all of our Atlassian Cloud Products. This involves understanding User Managemen...

1,381 views 8 17
View question

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you