---
checkId: check.security.password.policy
plugin: stellaops.doctor.security
severity: warn
tags: [security, password, authentication]
---
# Password Policy

## What It Checks
Validates password requirements meet security standards. The check only runs when a password policy configuration section exists (`Identity:Password`, `Password`, or `Security:Password`). It inspects:

| Setting | Threshold | Severity |
|---|---|---|
| `RequiredLength` / `MinLength` | Less than 8 | `fail` (if < 6), otherwise `warn` |
| `RequiredLength` / `MinLength` | Less than 12 | `warn` — 12+ recommended |
| `RequireDigit` | `false` | `warn` |
| `RequireLowercase` | `false` | `warn` |
| `RequireUppercase` | `false` | `warn` |
| `RequireNonAlphanumeric` / `RequireSpecialChar` | `false` | `warn` |
| `MaxFailedAccessAttempts` / `MaxAttempts` | Greater than 10 | `warn` |
| `DefaultLockoutTimeSpan` / `DurationMinutes` | Less than 1 minute | `warn` |

Default values if not explicitly set: min length = 8, require digit/lowercase/uppercase/special = true, max failed attempts = 5, lockout duration = 5 minutes.

## Why It Matters
Weak password policies enable brute-force and credential-stuffing attacks. Short passwords with low complexity can be cracked quickly with dictionary attacks. Without account lockout or with too many allowed attempts, automated attacks can run indefinitely. In a release control plane, compromised credentials could lead to unauthorized release approvals, policy changes, or data exfiltration.

## Common Causes
- Minimum password length set too short (below 8 characters)
- Password complexity requirements disabled (no digit, uppercase, lowercase, or special character requirement)
- Maximum failed login attempts too high (above 10), allowing extended brute-force
- Account lockout duration too short (less than 1 minute)

## How to Fix

### Docker Compose
Set password policy via environment variables:

```yaml
environment:
  Identity__Password__RequiredLength: "12"
  Identity__Password__RequireDigit: "true"
  Identity__Password__RequireLowercase: "true"
  Identity__Password__RequireUppercase: "true"
  Identity__Password__RequireNonAlphanumeric: "true"
  Identity__Lockout__MaxFailedAccessAttempts: "5"
  Identity__Lockout__DefaultLockoutTimeSpan: "15"
```

### Bare Metal / systemd
Edit `appsettings.json`:

```json
{
  "Identity": {
    "Password": {
      "RequiredLength": 12,
      "RequireDigit": true,
      "RequireLowercase": true,
      "RequireUppercase": true,
      "RequireNonAlphanumeric": true
    },
    "Lockout": {
      "MaxFailedAccessAttempts": 5,
      "DefaultLockoutTimeSpan": 15
    }
  }
}
```

### Kubernetes / Helm
Set in Helm values:

```yaml
identity:
  password:
    requiredLength: 12
    requireDigit: true
    requireLowercase: true
    requireUppercase: true
    requireNonAlphanumeric: true
  lockout:
    maxFailedAccessAttempts: 5
    defaultLockoutTimeSpan: 15
```

## Verification
```
stella doctor run --check check.security.password.policy
```

## Related Checks
- `check.core.auth.config` — validates overall authentication configuration
- `check.security.audit.logging` — authentication failure events should be logged
- `check.security.ratelimit` — rate limiting provides an additional layer of brute-force protection