Password Expiration Policy - Optional Setting

🔐 Stay compliant, stay secure

aqua version 26.26 and later provides administrator-controlled password expiration policies, enabling organizations to enforce regular password changes as part of their security and compliance strategy.

This is particularly relevant for organizations in regulated industries — such as financial services, insurance, or public sector — where periodic credential renewal is mandated by internal policies or external compliance frameworks.

What administrators can comfigure:

All settings are disabled by default and can be enabled independently based on your organization's requirements.

How it affects users

When the policy is active, a user whose password has reached the expiry threshold will be prompted to set a new password upon their next login. They will not be able to access the application until the new password has been set successfully.

The new password must meet the configured requirements and cannot be a trivially modified version of an old password.

Exemptions

The policy applies to standard users authenticating with aqua's native login. The following are not subject to password expiration:

• Technical and integration users (such as API users or sync integrations)

• Users authenticating via an external provider such as Active Directory, LDAP, or SAML — password lifecycle for these users is managed by the external identity provider

If a user's password expires and they are using the aqua desktop client, they will not be able to log in via the desktop client until their password is changed. Such users are asked to log in via the web client to complete the password change, after which desktop login will work again.