> For the complete documentation index, see [llms.txt](https://docs.aqua-cloud.io/documentation/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.aqua-cloud.io/documentation/user-administration/password-expiration-policy-how-to-configure.md).

# Password Expiration Policy - How to Configure

{% hint style="warning" %}
This feature is available for **private cloud** and **on-premise installations only**. It is not available on aqua public cloud app.aqua-cloud.io.
{% endhint %}

### **Overview** :key:

The password expiration policy allows administrators to enforce periodic password changes for all standard users in the environment. When enabled, users whose passwords have exceeded the configured period will be required to set a new password before they can log in.

### **Prerequisites**

* Private cloud or on-premise installation
* Access to the aqua server configuration file (`appSettings`)
* aqua version 26.26 or newer

### **Configuration Parameters**

All settings are configured by adding keys under `<appSettings>` in the following file on the aqua server:

```
aquaWebService\Web.config
```

<table><thead><tr><th width="242.34375">Parameter</th><th width="125.71875">Default</th><th>Description</th></tr></thead><tbody><tr><td><code>PasswordExpiryEnabled</code></td><td>false</td><td>Master switch — enables or disables the feature globally</td></tr><tr><td><code>PasswordExpiryDays</code></td><td>90</td><td>Number of days a password remains valid before the user is forced to set a new one on their next login</td></tr><tr><td><code>PasswordMinimumAgeHours</code></td><td>24</td><td>Minimum time (in hours) before a user can change their password again voluntarily</td></tr><tr><td><code>PasswordHistorySize</code></td><td>5</td><td><p>Number of previous passwords blocked from reuse. </p><p>Set to 0 to disable history checks</p></td></tr><tr><td><code>AccountLockoutEnabled</code></td><td>false</td><td>Enables account lockout after repeated failed login attempts</td></tr><tr><td><code>AccountLockoutMaxAttempts</code></td><td>5</td><td>Number of consecutive failed logins before an account is locked</td></tr><tr><td><code>AccountLockoutDurationMinutes</code></td><td>30</td><td>Duration in minutes for which the account remains locked</td></tr></tbody></table>

Add the following block:

```
<!-- Passwords expire after 90 days; user must set a new one on next login.
     Setting to 0 disables password expiry. -->
<add key="PasswordExpiryDays" value="90" />

<!-- After a successful change, the user must wait 24 hours before changing again -->
<add key="PasswordMinimumAgeHours" value="24" />

<!-- Block reuse of the last 5 passwords (and trivial variations of them).
     Setting to 0 disables history checks. -->
<add key="PasswordHistorySize" value="5" />

<!-- Lock the account after 5 failed login attempts.
     Setting to 0 disables lockout. -->
<add key="AccountLockoutMaxAttempts" value="5" />

<!-- Keep the account locked for 30 minutes after lockout -->
<add key="AccountLockoutDurationMinutes" value="30" />
```

To disable the individual feature, either set its value to 0 or omit the key entirely

### **First-time activation** :stopwatch:

When the feature is enabled for the first time, all existing users will have no password change date on record. The system will treat all of them as expired immediately. **Every user will be required to set a new password on their first login** after the feature is activated. Plan for this and communicate to your users in advance.

### **Who Is Affected**

The policy applies to all standard aqua users who authenticate with aqua's native password-based login.

The following users are **exempt by default** and are not affected by any of these settings:

* Technical users: Sync users, API users
* Users authenticating via SAML, Active Directory, or LDAP — their password management is handled by the external provider

**Per-user exemption** — server administrators can flag individual users (e.g. the Jira plugin's technical user) as Exempt from password expiry in the user profile.

{% hint style="danger" %}
Important: Jira Plugin users — **manual exemption required**
{% endhint %}

Due to implementation specifics of the Jira Plugin integration, automatic exemption cannot always be guaranteed for Jira Plugin users. When enabling the Password Expiration Policy, administrators must **manually verify and exempt Jira Plugin users** via the User Administration UI. Failing to do so may cause the Jira Plugin integration to stop working.&#x20;

The toggle is only shown when the expiry feature is enabled.

<figure><img src="/files/lhW3wCWQV2tJb9W4oD1K" alt=""><figcaption></figcaption></figure>

**Account Lockout**

With this parameter enabled, accounts are temporarily locked after a configurable number of consecutive failed login attempts.

To unlock a user immediately, an admin can deactivate and reactivate the user account in the admin UI. Lockout events are recorded in the audit log.

Technical users and externally authenticated users (AD/LDAP) are exempt from lockout.

{% hint style="info" %}
Known Limitation — Desktop Client
{% endhint %}

Password expiration is enforced via the web client only. If a user's password expires and they are using the aqua desktop client, they will not be able to log in via the desktop client until their password is changed. They must log in via the web client to complete the password change, after which desktop login will work again.

Workarounds:

* The user logs in via the web client and completes the password change flow
* An admin resets the user's password manually


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.aqua-cloud.io/documentation/user-administration/password-expiration-policy-how-to-configure.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.