Secure password configuration

Enforce your users on the team level to set strong complex passwords.

Ilya Krukowski avatar
Written by Ilya Krukowski
Updated over a week ago

This feature is available only on the Enterprise plan.

Secure password configuration allows you to define custom password policies for all users of the team. With this feature you can be sure that all members of the team are utilizing strong passwords and change them on a regular basis.

Getting started

To get started with this feature, you must be a team owner, biller, or an admin.

Click on the avatar in the bottom left corner and choose Team settings:

Proceed to the Advanced security tab and tick the Enable Secure password configuration option:

Now you'll need to define your password policy.

Defining password policy

After enabling the secure password configuration, you're going to see the following options:

  • User password expires in — how often users will be prompted to change their passwords. When a password expires, users will be prompted to change their password upon the next login. Available values:

    • 30 days

    • 60 days

    • 90 days

    • 180 days

  • Remember password history — when this option is enabled, Lokalise will remember last passwords users have set and won't allow them to re-use the same passwords. Available values range from 1 to 10 remembered passwords.

  • Minimum password length (from 8 to 255 characters) — the minimum password length.

Please note that the Complexity option has been removed because now all the password must meet the following requirements:

  • Has a lowercase character

  • Has an uppercase character

  • Has a non-alpha character

  • The password cannot be the same as the user's email

  • The password has not been compromised in haveibeenpwned.com database

Previously some of these requirements could be turned off but this is not the case anymore. This change has been introduced to increase the overall security level.

Secure password configuration enforced for the users

Existing users

After you have defined a password policy, it will be enforced for all users of the team. If a user's password does not meet the new requirements, that user will not be able to enter the corresponding team. Upon logging in, they will see the following screen:

After clicking the Change password button, the user will be brought to his/her personal profile and will be asked to change the currently set password. All password requirements according to the defined policy will be summed up in the top of the dialog box:

All users will also receive notification emails with a "change password" link:

Admin who changes secure password configuration settings will be enforced to change the password on the next login. Otherwise, they will see a message prompting to change the password:

After changing the password to a proper one, the user will be able to continue working within the team.

New users

If a new user joins the team with the secure password configuration enabled, s/he will also be prompted to set the password according to the defined policies:

Edge cases and more complex scenarios

A user can belong to multiple teams, with each team potentially enforcing different password security levels. For instance, while some teams might require strong passwords, others may not. If a user's password fails to meet the requirements of certain teams, they will be restricted to working only within teams that don't demand secure passwords. To gain access to the more secure teams, the user will need to update their password accordingly.


When a user is part of two teams with varying security policies, these policies will be summed up and the user will have to comply with the most restrictive rules in order to work in both teams. To illustrate, consider John, who is a member of two teams with distinct password policies:

  • Team A mandates that passwords must include both letters and numbers and be at least 10 characters long.

  • Team B requires passwords to include letters, special symbols, and be at least 8 characters long.

If John's password includes letters, special symbols, and is 9 characters long, he will have access to Team B but not Team A. Conversely, if his password incorporates letters, special symbols, numbers, and spans 11 characters, he will be eligible to work with both teams.


Adding a new user with a weak password to a team that enforces strong password requirements will not prompt an immediate password change. This is because our security standards ensure we do not know a user's password, and thus cannot assess its strength relative to our policies. In other words, Lokalise cannot "understand" if a password meets the security requirements. Nevertheless, toggling the secure password feature off and on will prompt users to update their passwords.

This constraint only affects existing users added to a team. It does not apply to new users not yet registered in our system.

Our advice is to invite individuals without a Lokalise account or to activate the password rotation feature within a team (Remember password history), ensuring all users' passwords are updated during the next cycle.


Should you transfer a project into a team that enforces a password policy, from one that doesn’t, all associated contributors will need to update their passwords to align with the new requirements. This is because the move also entails transferring the project's contributors.

Did this answer your question?