Logto product update: Password policy

We are excited to announce the availability of our new password policy feature in the latest Logto OSS release, with corresponding updates for our Cloud service scheduled for Thursday, September 21st.

What's new#

This newly introduced feature empowers you to customize a range of password policies specific to your Logto tenant:

• Minimum password length (default: 8)
• Minimum character types (default: 1)
• Prevention of breached passwords (default: Enabled)
• Restriction of repetitive or sequential characters (default: Enabled)
• Restriction of user information in passwords (default: Enabled)
• Custom restricted words (default: None specified)

To begin configuring these settings, simply navigate to the Logto Console under "Sign-in experience" and select "Password policy".

For Logto Cloud users, please take note that we are committed to ensuring a smooth upgrade. As such, we will maintain your existing password policy as follows:

• Minimum length: 8 characters
• Minimum character types: 2
  • Please be aware that, with the implementation of the new policy, combining lowercase and uppercase letters will no longer be considered as a single character type.
• Prevention of breached passwords: Disabled
• Restriction of repetitive or sequential characters: Disabled
• Restriction of user information in passwords: Disabled
• Custom restricted words: None specified

Should you wish to update your password policy manually, you can do so within the Logto Console as described above.

Impact on users#

• All new users will be subject to the new policy immediately upon creation.
• Existing users will not be affected by the updated policy until they choose to change their password.

Management API changes#

We have removed password restrictions for adding or updating users via the Management API.