diff options
Diffstat (limited to 'doc/user/profile/user_passwords.md')
-rw-r--r-- | doc/user/profile/user_passwords.md | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/doc/user/profile/user_passwords.md b/doc/user/profile/user_passwords.md new file mode 100644 index 00000000000..04d149c9709 --- /dev/null +++ b/doc/user/profile/user_passwords.md @@ -0,0 +1,76 @@ +--- +stage: Manage +group: Authentication and Authorization +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +--- + +# User passwords **(FREE)** + +If you use a password to sign in to GitLab, a strong password is very important. A weak or guessable password makes it +easier for unauthorized people to log into your account. + +Some organizations require you to meet certain requirements when choosing a password. + +Improve the security of your account with [two-factor authentication](account/two_factor_authentication.md) + +## Choose your password + +You can choose a password when you [create a user account](account/create_accounts.md). + +If you register your account using an external authentication and +authorization provider, you do not need to choose a password. GitLab +[sets a random, unique, and secure password for you](../../security/passwords_for_integrated_authentication_methods.md). + +## Change your password + +You can change your password. GitLab enforces [password requirements](#password-requirements) when you choose your new +password. + +1. On the top bar, in the top-right corner, select your avatar. +1. Select **Edit profile**. +1. On the left sidebar, select **Password**. +1. In the **Current password** text box, enter your current password. +1. In the **New password** and **Password confirmation** text box, enter your new password. +1. Select **Save password**. + +If you don't know your current password, select the **I forgot my password** link. A password reset email is sent to the +account's **primary** email address. + +## Password requirements + +Your passwords must meet a set of requirements when: + +- You choose a password during registration. +- You choose a new password using the forgotten password reset flow. +- You change your password proactively. +- You change your password after it expires. +- An an administrator creates your account. +- An administrator updates your account. + +By default GitLab enforces the following password requirements: + +- Minimum and maximum password lengths. For example, + see [the settings for GitLab.com](../gitlab_com/index.md#password-requirements). +- Disallowing [weak passwords](#block-weak-passwords). + +Self-managed installations can configure the following additional password requirements: + +- [Password minimum and maximum length limits](../../security/password_length_limits.md). +- [Password complexity requirements](../admin_area/settings/sign_up_restrictions.md#password-complexity-requirements). + +## Block weak passwords + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/23610) in GitLab 15.4 [with a flag](../../administration/feature_flags.md) named `block_weak_passwords`, weak passwords aren't accepted. Disabled by default. + +FLAG: +On self-managed GitLab, by default blocking weak passwords is not available. To make it available, ask an administrator +to [enable the feature flag](../../administration/feature_flags.md) named `block_weak_passwords`. On GitLab.com, this +feature is available but can be configured by GitLab.com administrators only. + +GitLab disallows weak passwords. Your password is considered weak when it: + +- Matches one of 4500+ known, breached passwords. +- Contains part of your name, username, or email address. +- Contains a predictable word (for example, `gitlab` or `devops`). + +Weak passwords are rejected with the error message: **Password must not contain commonly used combinations of words and letters**. |