Password Policy Configuration Guide

Modified on Mon, 26 Jun, 2023 at 5:01 PM


Note: This topic does not apply if your company is using Single Sign On (SSO) or LDAP/ AD authentication for authenticating your users of Projectal.


When installing and configuring Projectal, you can optionally create a password policy that your users must follow when they create passwords to log into their Projectal user account.


Default Password Policy

Projectal has the following default password policy that new users must follow when creating passwords to log into Projectal.


  • Mandatory rules:
    • The length of the password must be between 10 and 255 characters
    • Between 1 to 255 symbol characters ($,%,@,&,#,etc.) must be used
    • Must not match user's email address
    • Must have no more than two repeating characters


Modifying the Password Policy

You may want to change the set of password rules to fit they way that your company likes to authenticate its users.  The following documentation explains how to create a set of password rules to create your own password policy in Projectal.


Note: For on-premises installations of Projectal, your company's IT System Administrator can make these changes in your Projectal. If you require assistance, please contact Projectal support staff.


Note: For managed installations of Projectal where we look after the running of your Projectal, please contact Projectal support staff and they will configure your set of password rules to match the way you would like passwords to be used at your company.


Create your custom set of password rules in the Projectal application properties file on each API server running Projectal. 

sudo nano /data/projectal/application.properties

Add the following to the end of your application.properties file and customize the password policy to match your requirements.



# password rules

# mandatory rules

# length of password must be 6 to 255 chars
password.rule_A=use_length_min:6,use_length_max:255

# char cannot be repeated in sequence more than 2 times
password.rule_D=no_repeat_char_max:1

# password must be confirmed
password.rule_F=confirm:true

# char in password must be ASCII in range of 32 to 127
password.rule_X=permit_char_min:32,permit_char_max:127


# optional rules

# number of uppercase chars must be in 1 to 255
password.rule_1=use_upper_char_min:1,use_upper_char_max:255

# number of lower chars must be in 1 to 255
password.rule_2=use_lower_char_min:1,use_lower_char_max:255

# number of digit chars must be in 1 to 255
password.rule_3=use_digit_char_min:1,use_digit_char_max:255

# number of symbol chars must be in 1 to 255
password.rule_4=use_symbol_char_min:1,use_symbol_char_max:255


# ADFX rules are mandatory; at least 3 of 1234 rules must be satisfied
password.rules=use:ADFX1234,min:3


Note: You must restart each API server after making changes to the application properties file.


Password Rules Specification

The following is the full list of the available rules that can be applied to set a password policy.  You can use a combination of them and adjust their min, max and boolean values to fit your preferred password policy.


A password policy is defined as a set of password rules that are combined using the password.rules=use statement.


# ####
# full set of mandatory rules (always denoted by letters)

# password must have a minimum of 10 characters and a maximum of 255 characters (maximum is 255 characters)
password.rule_A=use_length_min:10,length_max:255

# password substring cannot match the user's first name, last name or nick name (matching is case insensitive)
password.rule_B=not_matching_user:true

# password substring cannot match any part of user's email address (matching is case insensitive)
password.rule_C=not_matching_email:true

# do not repeat a character in sequence, e.g. max:1 means "aa" is OK but "aaa" is not permitted
password.rule_D=no_repeat_char_max:1

# do not permit a password if it was used in the past (max:1 means permit a password being reused only one time)
password.rule_E=not_in_history_max:0

# ensure both supplied passwords are the same
password.rule_F=confirm:true

# char in password must be ASCII in range of 32 to 127
password.rule_X=permit_char_min:32,permit_char_max:127

# ####
# full set of optional rules (always denoted by digits)

# must use a minimum 1 to 255 upper case characters (e.g. A,B,C,D,E,F,G,etc.)
password.rule_1=use_upper_char_min:1,use_upper_char_max:255

# must use a minimum of 1 to 255 lower case characters (e.g. a,b,c,d,e,f,g,etc.)
password.rule_2=use_lower_char_min:1,use_lower_char_max:255

# must use a minimum of 1 to 255 digit characters (e.g. 1,2,3,4,5,6,7,etc.)
password.rule_3=use_digit_char_min:1,use_digit_char_max:255

# must use a minimum of 1 to 255 special characters (e.g. $,%,@,&,etc.)
password.rule_4=use_symbol_char_min:1,use_symbol_char_max:255

# ####
# password policy is defined by combining mandatory rules and optional rules

# use the mandatory rules A,F and use any 2 rules from 1,2,3,4
password.rules=use:AF1234,min:2


Important: It is strongly recommended that you do not excessively relax the password policy for your Projectal since it can increase the possibility for unwanted external access into your Projectal and all of its company data, project data and staff data. A high level of authentication is always desired.




Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article