Setting password rules in the Enpass Admin Console

Under this policy, administrators can define their organization’s password policies including password-generation and expiry rules. Enpass application enforces these policies when new passwords are created with the Password Generator and flags any noncompliant passwords.

Password Policy

Adding Password Rules

When accessing the password policy settings for the first time, administrators will be prompted to add either:

  • Add Master Rule – A default rule that applies to all domains unless a specific rule exists.
  • Add Domain-Specific Rule – A customized rule for a particular domain, overriding the default rule.

Master Rule (Global Password Policy)

The Master Rule sets the baseline for password security in your organization. It applies everywhere unless overridden by a domain-specific rule

Add Default Rule

  1. Random Passwords
    • Minimum / Maximum Length – Control password length for stronger protection.
    • Uppercase Letters – Require at least one uppercase letter.
    • Digits – Ensure every password contains numbers.
    • Symbols:
      • All – Allow all symbols.
      • Include – Specify which symbols must be used.
      • Exclude – Block certain symbols that may cause issues on some websites.
  2. Pronounceable Passwords
    • Minimum / Maximum Words – Define how many words a password should contain.
    • Uppercase Letters – Require at least one uppercase letter.
    • Digits – Ensure every password contains numbers.

Password Expiry Rule

If password expiry after specific interval is a part of your organization password policy, this rule allows admin to specify the interval.

  • If Expiry is Disabled – Passwords remain valid indefinitely and never flagged expired.
  • If Expiry is Enabled – Administrators can specify expiry intervals after which the passwords will be flagged as expired in Enpass.

Password Rule Enforcement

Enpass automatically evaluates existing passwords against the defined policies and flags any non-compliant passwords as rule-violating. This helps administrators identify passwords that do not meet the organization's password policy requirements.

Note: These rules will not prevent users from creating any password. They will only flag passwords as rule-violating.

How Password Validation Works

For Random Passwords: Enpass validates each password against defined policy criteria, including minimum length, required use of uppercase characters, numerical digits, and special symbols. Any password that does not satisfy one or more of these conditions is flagged as rule-violating.

For Pronounceable Passwords: Enpass verifies that pronounceable passwords use words from its Diceware list while also checking minimum words requirements. Any password containing words outside the Diceware word list, or failing to satisfy criterias such as minimum length, uppercase, lowercase or digits rules, will be flagged as rule-violating.

Examples of Rule Violations:

  • Policy requires 12+ characters, password has only 8 characters - Rule-violating
  • Policy requires special characters, password contains none - Rule-violating
  • Policy sets maximum 16 characters, password has 20 characters but meets all other criteria - Not rule-violating

Domain-Specific Password Rules

Some websites have unique password requirements that might not align with your global policy. In these cases, you can set Domain-Specific Rules:

  • Add the website under Domain-Specific Rules.
  • Define the rules that match the site’s requirements.

These rules always take priority over the Master Rule for that domain, ensuring compatibility without compromising overall organizational security.

Related topics