# Configuring a Password Policy You can configure a robust password policy, including rules for password expiration, reuse, and complexity, by configuring the following engine variables. See the [engine variables overview](https://docs.singlestore.com/db/v9.1/reference/configuration-reference/engine-variables.md) for information on working with engine variables. When configuring the settings described below, you can use the `sdb-admin` tool (`sdb-admin update-config ...`) so that configuration changes are written to the .cnf file and persist across any server reboots. For example, to set passwords to expire after two weeks: ```shell sdb-admin update-config --all --set-global --key "password_expiration_seconds" --value "1209600" ``` ## Password Expiration `password_expiration_seconds`: The time in seconds before a password expires. The default value is `0`, which indicates that passwords never expire. > **📝 Note**: When a user is created using `CREATE USER 'user'@'host'` or `CREATE USER 'user'@'host' IDENTIFIED BY '',` the account is assigned an empty password. If `password_min_length` is `0` (the default), an empty password is treated as a valid password. If `password_min_length` is greater than 0, an empty password does not satisfy the password policy and the statement is rejected. If `password_expiration_seconds` is set to a non‑zero value and an empty password is allowed by the policy, that password expires after the configured duration and the user is required to reset it. `expire_root_password`: Specifies whether the root password can expire. The default value is `OFF`. When set to `OFF`, the `password_expiration_seconds` duration does not apply to the root password. If set to `ON`, the root password expires after the `password_expiration_seconds` duration is reached. > **📝 Note**: A password expiration warning is raised to the user on every query, starting 14 days before the password expires. `password_expiration_mode`: Specifies what happens when a user's password expires. The default value is `NO_ACCESS`. If set to `NO_ACCESS`, the user cannot login after the password expires. If set to `LIMITED_ACCESS`, the user can login after the password expires but can only update their password using `ALTER USER` or `SET PASSWORD` commands. Until the password is updated, no other commands can be executed except `SET SESSION` or `SET LOCAL`. ## Password Reuse `password_history_count`: Restricts the reuse of previous user passwords. This variable is the number of previous passwords per user that SingleStore stores and disallows from reuse. SingleStore does not allow setting a user account’s password to one of the last `password_history_count` number of passwords for that user. The count includes the current password. For example, if set to `2`, setting a user’s password to its current password or the last password before the current password is disallowed. The default value is `0`, which indicates that any previous password can be reused. The maximum is `10`. ## Password Complexity The following variables control password complexity requirements. For each variable, the default value is `0` (disabled) and the accepted values are integers ranging from `0` to `100`. `password_min_length`: The minimum number of characters required. `password_min_uppercase_chars`: The minimum number of uppercase characters required. `password_min_lowercase_chars`: The minimum number of lowercase characters required. `password_min_numeric_chars`: The minimum number of numeric digit characters required. `password_min_special_chars`: The minimum number of special (non-alphanumeric) characters required. `password_max_consec_sequential_chars`: The maximum number of consecutive characters allowed. For example, if set to 3, passwords with a 4-letter sequence or longer (e.g “1234” or “abcd”) are disallowed. `password_max_consec_repeat_chars`: The maximum number of consecutive repeated characters allowed. For example, if set to 3, passwords with 4 or more consecutive repeated characters (e.g., “aaaa” or “1111”) are disallowed. When a user enters a new password, if the password does not meet the password complexity policy, the following error message is returned: `Error: password does not meet the requirements specified for in your password complexity policy. Password not changed.` ## Example Password Complexity Usage The following stored procedure (you can also use individual SET statements in the command line) creates a password complexity policy where passwords must: * be at least 12 characters long * include at least one uppercase character * include at least one lowercase character * include at least one numeric character * include at least one special character ```sql CREATE DATABASE db_security USE db_security DELIMITER // CREATE OR REPLACE PROCEDURE set_password_complexity_policy() AS BEGIN SET GLOBAL password_min_length=12; SET GLOBAL password_min_uppercase_chars=1; SET GLOBAL password_min_lowercase_chars=1; SET GLOBAL password_min_numeric_chars=1; SET GLOBAL password_min_special_chars=1; END // DELIMITER ; CALL set_password_complexity_policy(); ``` ## Password Complexity and Existing Passwords When changes are made to the password complexity policy, existing passwords are not checked. The policy only applies to new or changed passwords. ## Password Complexity in Previous Versions For versions 7.1 - 7.5, the password complexity variable is defined as follows: `strict_passwords`: When set to `ON`, SingleStore requires that all passwords be at least 6 characters in length, contain at least one letter, and contain at least one number. The default value is `OFF`. Enabling `strict-passwords=ON` does not affect current users. > **⚠️ Warning**: `strict_passwords` is deprecated as of version 7.1 of SingleStore. If you use both `strict_passwords` and any of the password complexity variables described in this topic, then *both* sets of rules are enforced. SingleStore recommends leaving `strict_passwords` set to `OFF` (the default). *** Modified at: February 25, 2026 Source: [/db/v9.1/security/authentication/configuring-a-password-policy/](https://docs.singlestore.com/db/v9.1/security/authentication/configuring-a-password-policy/) (An index of the documentation is available at /llms.txt)