Password Policy

The Password Policy App

The Password Policy application

From the 2.0.0 release of the Password Policy app, ownCloud administrators (both enterprise and community edition) have the option of installing and enabling the application. The Password Policy application enables administrators to define password requirements for user passwords and public links.

Some of policy rules apply to both user passwords and public links, and some apply to just one or the other. The table below shows where each option can be used.

Setting User Passwords Public Links

Specify valid password requirements



Disallow usage of a number of previous passwords


Specify a password expiration period


Forced password change on first login


Disallowing passwords that match a configurable number of previous passwords (defaults to the previous 3).


Users can be notified a configurable number of days before their password expires


Users will be notified when their password has expired.


Specify expiration dates for public link shares


Specify the number of days until link expires if a password is set


Specify the number of days until link expires if a password is not set


Here is an example of what an administrator will see:

The ownCloud Password Policy app.

Active user sessions will not end when passwords expire. However, a password change will be forced when the user session expires (e.g., on logout). OAuth2 tokens for app or client authentication, and App passwords are not affected.
Installing and enabling the application also extends the occ command to support password policy management.
After enabling the "days until user password expires" policy setting in the web UI, administrators need to run the occ user:expire-password command to set an initial password change date for all existing users.

The Security App

Do not configure password policies using the Security and Password Policy apps simultaneously. Please use either one or the other. However, the brute-force protection part of the Security app can and should be used in parallel with the Password Policy app.

You can, alternatively, use the Security app. It supports configuring a basic password policy, which includes:

  1. Setting a password length

  2. Whether to enforce at least one upper and lower case character, a numerical character, and a special character.

security app password policy

In the next release, the Security app’s feature-set will be reduced to provide only brute-force protection capabilities and be renamed "Brute-Force Protection".