authentik/website/docs/policies/index.md

---
title: Policies
---

## Standard Policies

---

### Reputation Policy

authentik keeps track of failed login attempts by source IP and attempted username. These values are saved as scores. Each failed login decreases the score for the client IP as well as the targeted username by 1 (one).

This policy can be used, for example, to prompt clients with a low score to pass a captcha before they can continue.

## Expression Policy

See [Expression Policy](expression.md).

## Password Policies

---

### Password Policy

This policy allows you to specify password rules, such as length and required characters.
The following rules can be set:

- Minimum amount of uppercase characters.
- Minimum amount of lowercase characters.
- Minimum amount of symbols characters.
- Minimum length.
- Symbol charset (define which characters are counted as symbols).

### Have I Been Pwned Policy

This policy checks the hashed password against the [Have I Been Pwned](https://haveibeenpwned.com/) API. This only sends the first 5 characters of the hashed password. The remaining comparison is done within authentik.

### Password-Expiry Policy

This policy can enforce regular password rotation by expiring set passwords after a finite amount of time. This forces users to set a new password.
Migrate to Docusaurus (#329) * docs: initial migration to docusaurus * website: add custom font, update blurbs and icons * website: update splash * root: update links to docs * flows: use .pbflow extension so docusaurus doesn't mangle the files * e2e: workaround prospector * Squashed commit of the following: commit 1248585dcae5d65ddb8ecc75b76204fd1407c33a Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:46:53 2020 +0100 e2e: attempt to fix prospector error again commit 1319c480c4c6f86cf0dde91305dea52749c867a3 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:41:35 2020 +0100 ci: install previous python version for upgrade testing * web: update accent colours and format * website: format markdown files * website: fix colours for text * website: switch to temporary accent colour to improve readability * flows: fix path for TestTransferDocs * flows: fix formatting of tests 2020-11-15 21:42:02 +00:00			`---`
			`title: Policies`
			`---`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00
			`## Standard Policies`

docs: add docs for property mappings, switch to material theme 2019-12-10 10:25:34 +00:00			`---`

docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00			`### Reputation Policy`

wip: rename to authentik (#361) * root: initial rename * web: rename custom element prefix * root: rename external functions with pb_ prefix * root: fix formatting * root: replace domain with goauthentik.io * proxy: update path * root: rename remaining prefixes * flows: rename file extension * root: pbadmin -> akadmin * docs: fix image filenames * lifecycle: ignore migration files * ci: copy default config from current source before loading last tagged * : new sentry dsn tests: fix missing python3.9-dev package * root: add additional migrations for service accounts created by outposts * core: mark system-created service accounts with attribute * policies/expression: fix pb_ replacement not working * web: fix last linting errors, add lit-analyse * policies/expressions: fix lint errors * web: fix sidebar display on screens where not all items fit * proxy: attempt to fix proxy pipeline * proxy: use go env GOPATH to get gopath * lib: fix user_default naming inconsistency * docs: add upgrade docs * docs: update screenshots to use authentik * admin: fix create button on empty-state of outpost * web: fix modal submit not refreshing SiteShell and Table * web: fix height of app-card and height of generic icon * web: fix rendering of subtext * admin: fix version check error not being caught * web: fix worker count not being shown * docs: update screenshots * root: new icon * web: fix lint error * admin: fix linting error * root: migrate coverage config to pyproject 2020-12-05 21:08:42 +00:00			`authentik keeps track of failed login attempts by source IP and attempted username. These values are saved as scores. Each failed login decreases the score for the client IP as well as the targeted username by 1 (one).`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00
docs(terminology.md): clarity & capitalisation 2020-06-18 18:27:20 +00:00			`This policy can be used, for example, to prompt clients with a low score to pass a captcha before they can continue.`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00
docs: update policy types, add docs for expression policies 2020-02-19 09:21:28 +00:00			`## Expression Policy`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00
policies/expression: migrate to raw python instead of jinja2 (#49) * policies/expression: migrate to raw python instead of jinja2 * lib/expression: create base evaluator, custom subclass for policies * core: rewrite propertymappings to use python * providers/saml: update to new PropertyMappings * sources/ldap: update to new PropertyMappings * docs: update docs for new propertymappings * root: remove jinja2 * root: re-add jinja to lock file as its implicitly required 2020-06-05 10:00:27 +00:00			`See [Expression Policy](expression.md).`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00
			`## Password Policies`

docs: add docs for property mappings, switch to material theme 2019-12-10 10:25:34 +00:00			`---`

docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00			`### Password Policy`

docs(terminology.md): clarity & capitalisation 2020-06-18 18:27:20 +00:00			`This policy allows you to specify password rules, such as length and required characters.`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00			`The following rules can be set:`

docs: cleanup, add 2021.3 to sidebar 2021-03-02 21:10:54 +00:00			`- Minimum amount of uppercase characters.`
			`- Minimum amount of lowercase characters.`
			`- Minimum amount of symbols characters.`
			`- Minimum length.`
			`- Symbol charset (define which characters are counted as symbols).`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00
			`### Have I Been Pwned Policy`

wip: rename to authentik (#361) * root: initial rename * web: rename custom element prefix * root: rename external functions with pb_ prefix * root: fix formatting * root: replace domain with goauthentik.io * proxy: update path * root: rename remaining prefixes * flows: rename file extension * root: pbadmin -> akadmin * docs: fix image filenames * lifecycle: ignore migration files * ci: copy default config from current source before loading last tagged * : new sentry dsn tests: fix missing python3.9-dev package * root: add additional migrations for service accounts created by outposts * core: mark system-created service accounts with attribute * policies/expression: fix pb_ replacement not working * web: fix last linting errors, add lit-analyse * policies/expressions: fix lint errors * web: fix sidebar display on screens where not all items fit * proxy: attempt to fix proxy pipeline * proxy: use go env GOPATH to get gopath * lib: fix user_default naming inconsistency * docs: add upgrade docs * docs: update screenshots to use authentik * admin: fix create button on empty-state of outpost * web: fix modal submit not refreshing SiteShell and Table * web: fix height of app-card and height of generic icon * web: fix rendering of subtext * admin: fix version check error not being caught * web: fix worker count not being shown * docs: update screenshots * root: new icon * web: fix lint error * admin: fix linting error * root: migrate coverage config to pyproject 2020-12-05 21:08:42 +00:00			`This policy checks the hashed password against the [Have I Been Pwned](https://haveibeenpwned.com/) API. This only sends the first 5 characters of the hashed password. The remaining comparison is done within authentik.`
docs: add initial structure, add docs for policies and factors 2019-12-09 20:00:45 +00:00
			`### Password-Expiry Policy`

docs(terminology.md): clarity & capitalisation 2020-06-18 18:27:20 +00:00			`This policy can enforce regular password rotation by expiring set passwords after a finite amount of time. This forces users to set a new password.`