Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Setting up a password policy

Written by
Updated at February 24, 2026

Note

This feature is at the Preview stage.

To set up a password policy:

  1. Log in to Yandex Identity Hub using an administrator or organization owner account.

  2. In the left-hand panel, click User pools and select the user pool.

  3. Click Password policy and select Set password policy.

  4. Under Password complexity, specify the character class settings for the password:

    • Custom: Configure the minimum length depending on the number of character classes used in the password:

      • One class (abc)
      • Two classes (aBc)
      • Three classes (aBc1)
      • Four classes (aB#c1)

      This is the preferred option because it does not require particular characters and allows users to create more memorable yet strong passwords.

    • Required: Select the character types for the password by activating the following options:

      • Lowercase Latin letters
      • Uppercase Latin letters
      • Digits
      • Special characters, e.g., !@#$%^&*

      In the Minimum length field, specify the minimum number of characters in the password but not less than seven.

  5. Under Password lifetime, set the minimum and maximum password lifetime (up to 730 days) or select Unlimited.

  6. Under Brute force protection, specify:

    • Number of failed password attempts before lockout: From 1 to 100.
    • Failed attempt interval in minutes or seconds.
    • Lockout duration in minutes or seconds.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command for updating a user pool:

    yc organization-manager idp userpool update --help

  2. Getting a list of user pools in the organization:

    yc organization-manager idp userpool list \
  --organization-id <organization_ID>

  3. Set up a password policy for the user pool:

    yc organization-manager idp userpool update <pool_ID> \
  --password-smart-one-class <minimum_length_for_1_class> \
  --password-smart-two-classes <minimum_length_for_2_classes> \
  --password-smart-three-classes <minimum_length_for_3_classes> \
  --password-smart-four-classes <minimum_length_for_4_classes> \
  --password-allow-similar \
  --password-match-length <match_substring_length> \
  --password-max-length <maximum_password_length> \
  --password-min-days <minimum_lifetime_in_days> \
  --password-max-days <maximum_lifetime_in_days> \
  --bruteforce-attempts <number_of_attempts> \
  --bruteforce-window <count_interval> \
  --bruteforce-block <lockout_duration>

    Where:

    • To configure custom character types (smart policy):

      • --password-smart-one-class: Minimum password length if using one character class (e.g., lowercase letters only).
      • --password-smart-two-classes: Minimum password length if using two character classes (e.g., lowercase and uppercase letters).
      • --password-smart-three-classes: Minimum password length if using three character classes (e.g., letters and numbers).
      • --password-smart-four-classes: Minimum password length if using four character classes (letters, numbers, and special characters).

    • To configure required character types (fixed policy):

      • --password-fixed-min-length: Minimum password length (at least 7 characters).
      • --password-fixed-lowers-required: Require lowercase letters.
      • --password-fixed-uppers-required: Require uppercase letters.
      • --password-fixed-digits-required: Require numbers.
      • --password-fixed-specials-required: Require special characters.

    • --password-allow-similar: Allow passwords similar to those used earlier. If the flag is not specified, using similar passwords is forbidden.

    • --password-match-length: Minimum substring length for a similarity check with vulnerable sequences.

    • --password-max-length: Maximum password length. If 0, there is no limit.

    • --password-min-days: Minimum number of days before the password should be changed.

    • --password-max-days: Maximum number of days the password remains valid (up to 730 days). If 0, passwords do not expire.

    • --bruteforce-attempts: Number of wrong password entries before lockout (1 to 100).

    • --bruteforce-window: Interval for counting wrong entries (e.g., 10m for 10 minutes or 600s for 600 seconds).

    • --bruteforce-block: Lockout duration after exceeding the wrong entry limit (e.g., 10m or 600s).

    Example of a command for setting up a password policy:

    yc organization-manager idp userpool update fpd9mu9gqq12******** \
  --password-smart-one-class 24 \
  --password-smart-two-classes 14 \
  --password-smart-three-classes 11 \
  --password-smart-four-classes 10 \
  --password-max-length 128 \
  --password-max-days 365 \
  --bruteforce-attempts 15 \
  --bruteforce-window 10m \
  --bruteforce-block 10m

    yc organization-manager idp userpool update fpd9mu9gqq12******** \
  --password-fixed-min-length 8 \
  --password-fixed-lowers-required \
  --password-fixed-uppers-required \
  --password-fixed-digits-required \
  --password-max-length 128 \
  --password-max-days 365 \
  --bruteforce-attempts 15 \
  --bruteforce-window 10m \
  --bruteforce-block 10m

For more information about the yc organization-manager idp userpool update command, see the CLI reference.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

For more information about Terraform, see this guide.

  1. Create a configuration file with the user pool and password policy settings:

    resource "yandex_organizationmanager_idp_userpool" "my_userpool" {
  name              = "<pool_name>"
  organization_id   = "<organization_ID>"
  default_subdomain = "<subdomain>"
  description       = "<pool_description>"

  password_quality_policy = {
    allow_similar = true
    max_length    = 128
    match_length  = 4

    # Use either `smart` or `fixed`
    # Configuring custom character types
    smart = {
      one_class     = 24
      two_classes   = 14
      three_classes = 11
      four_classes  = 10
    }

    # Configuring required character types
    fixed = {
      min_length        = 8
      lowers_required   = true
      uppers_required   = true
      digits_required   = true
      specials_required = false
    }
  }

  password_lifetime_policy = {
    min_days_count = 0
    max_days_count = 365
  }

  bruteforce_protection_policy = {
    attempts = 15
    window   = "10m"
    block    = "10m"
  }
}

    Where:

    • name: User pool name.

    • organization_id: Organization ID.

    • default_subdomain: Default subdomain for the pool.

    • description: User pool description.

    • password_quality_policy: Password complexity settings:

      • allow_similar: Allow passwords similar to those used earlier.
      • max_length: Maximum password length. If 0, there is no limit.
      • match_length: Minimum substring length for a similarity check with vulnerable sequences.

      Use either smart or fixed.

      • smart: Configuring custom character types (minimum length depends on how many classes are used).

        • one_class: Minimum password length if using one character class (e.g., lowercase letters only).
        • two_classes: Minimum length of a password with two character classes (e.g., lowercase and uppercase letters).
        • three_classes: Minimum password length if using three character classes (e.g., letters and numbers).
        • four_classes: Minimum password length if using four character classes (letters, numbers, and special characters).

      • fixed: Configuring required character types (use instead of smart).

        • min_length: Minimum password length (at least 7 characters).
        • lowers_required: Require lowercase letters.
        • uppers_required: Require uppercase letters.
        • digits_required: Require numbers.
        • specials_required: Require special characters.

    • password_lifetime_policy: Password lifetime settings.

      • min_days_count: Minimum number of days before the password should be changed.
      • max_days_count: Maximum number of days the password remains valid (up to 730 days). If 0, passwords do not expire.

    • bruteforce_protection_policy: Settings for protection against password guessing.

      • attempts: Number of wrong password entries before lockout (1 to 100).
      • window: Interval for counting wrong entries (e.g., 10m for 10 minutes or 600s for 600 seconds).
      • block: Lockout duration after exceeding the wrong entry limit (e.g., 10m or 600s).

    For more information about yandex_organizationmanager_idp_userpool properties, see this provider guide.

  2. Create the resources:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

This will create a user pool subject to your password policy in the specified organization. You can check the new pool and its settings using the Cloud Center UI or this CLI command:

yc organization-manager idp userpool get <pool_ID>

Use the update REST API method for the Userpool resource or the UserpoolService/Update gRPC API call.

Previous
Setting up access to a user pool
Next
Deleting a user pool