This feature is available only on the Enterprise plan.
Secure password configuration allows you to set custom password policies for all team members, ensuring they use strong, complex passwords and update them regularly. This adds an extra layer of security across your team.
Enabling secure password configuration
To enable this feature, you must be a team owner, biller, or admin.
Click on your avatar in the bottom-left corner and select Team settings.
Go to the Advanced security tab and check the box for Enable Secure password configuration.
Now, you can define your team's custom password policy.
Defining password policy
After enabling the secure password configuration, you’ll see several options to customize your team's password policy:
User password expires in — Defines how often users must change their passwords. Once a password expires, users will be prompted to reset it during their next login. Available values:
30 days
60 days
90 days
180 days
Remember password history — When enabled, Lokalise will remember a set number of previously used passwords, preventing users from reusing them. You can set this value from 1 to 10 passwords.
Minimum password length — Set the minimum number of characters for passwords. The range is from 8 to 255 characters.
Password complexity requirements
The Complexity option has been removed, and now all passwords must meet the following requirements:
Must include at least one lowercase character
Must include at least one uppercase character
Must include at least one non-alphabetic character
Cannot be the same as the user’s email
Must not have been compromised, as checked against the haveibeenpwned.com database
These requirements are mandatory to ensure a higher level of security for your team. Previously, some of these requirements could be disabled, but this is no longer the case.
Secure password configuration enforced for the users
Existing users
Once the new password policy is defined, it will apply to all users in the team. If a user's password does not meet the new requirements, they will be unable to access the team. When they attempt to log in, they will see the following screen:
Upon clicking the Change password button, the user will be directed to their personal profile and prompted to update their password. The dialog box will display all the password requirements according to the newly defined policy at the top:
Additionally, all users will receive a notification email with a "change password" link.
View image
View image
Admins who update the secure password configuration settings will also be required to change their password at their next login. If they don’t, they will see a message prompting them to update their password:
Once the password is updated to meet the policy, users will be able to continue working within the team.
New users
New users joining the team with secure password configuration enabled will be prompted to set a password that meets the defined policies upon registration.
View image
View image
Edge cases and more complex scenarios
Users belonging to multiple teams
A user can belong to multiple teams, each with different password security levels. For instance, while some teams may enforce strong passwords, others might not. If a user’s password doesn’t meet the requirements of more secure teams, they will only have access to teams with less strict policies. To access the secure teams, the user will need to update their password.
Handling multiple teams with varying security policies
When a user is part of two teams with different security policies, the most restrictive rules will apply. To work in both teams, the user must meet the highest security standards.
For example, let’s consider John, who is a member of two teams with distinct password policies:
Team A requires passwords to have letters, numbers, and be at least 10 characters long.
Team B mandates passwords to have letters, special symbols, and be at least 8 characters long.
If John’s password has letters, special symbols, and is 9 characters long, he can access Team B but not Team A. However, if his password includes letters, special symbols, numbers, and is 11 characters long, he will meet the requirements for both teams.
Adding users with weak passwords to teams with strong password requirements
When you add a new user with a weak password to a team that enforces strong password requirements, Lokalise won’t automatically prompt them to change their password. This is due to security standards that prevent Lokalise from knowing a user’s password or assessing its strength. In such cases, Lokalise cannot immediately determine if the password complies with the team’s policy.
To prompt users to update their passwords, you can toggle the Secure password configuration off and back on. This will enforce the password change for existing users.
This constraint only affects users already registered in Lokalise. It does not apply to new users who have not yet registered in the system.
Tip: Invite users without a Lokalise account or activate the password rotation feature (using Remember password history) to ensure all users update their passwords during the next cycle.
Transferring projects between teams with different security policies
If you transfer a project from a team without strict password policies to one that enforces them, all contributors will need to update their passwords to comply with the new team’s requirements. This is because project contributors are transferred along with the project itself.