Configure Password Strength Validation and Password Expiration

Passwords need to be secure. For one thing, they should not be easy to guess. This page explains how to use and customise the password validation rules and password expiration behaviour in order to enforce a minimum password strength policy. By default these rules are turned off.

Password Strength Validation

Passwords can be validated whenever an attempt is made to change them through the CMS (either from Setup > System or when using the Change password shortcut from Home). This validation is performed by the password validation service, which can be configured at


Each subnode represents an implementation of the interface org.hippoecm.frontend.plugins.cms.admin.password.validation.IPasswordValidator and requires the property validator.class that specifies the implementation class. The service expects these implementations to provide a constructor that takes an  org.hippoecm.frontend.plugin.config.IPluginConfig object as its single argument.

The service itself has a single configuration property 'password.strength' which is related to the concept of optional validators.

An optional IPasswordValidator is one that returns true when its isOptional() method is called. The password.strength property controls how many of these optional validators must pass in order for the password to be valid. An error message is logged to the console if you configure a password.strength that is larger than the number of optional validators that are configured.

The following password validators are available:

  • org.hippoecm.frontend.plugins.cms.admin.password.validation.ContainsCapitalPasswordValidator Description: Password should contain at least one capital letter (A-Z) Optional: yes

  • org.hippoecm.frontend.plugins.cms.admin.password.validation.ContainsDigitPasswordValidator
    Description: Password should contain at least one digit (0-9)
    Optional: yes

  • org.hippoecm.frontend.plugins.cms.admin.password.validation.ContainsLowercasePasswordValidator
    Description: Password should contain at least one lower case letter (a-z)
    Optional: yes

  • org.hippoecm.frontend.plugins.cms.admin.password.validation.ContainsSpecialCharacterPasswordValidator
    Description: Password should contain at least one of !, $, # or %
    Optional: yes

  • org.hippoecm.frontend.plugins.cms.admin.password.validation.ContainsNoNamePasswordValidator
    Description: Password should not contain login name, first name or last name
    Optional: no

  • org.hippoecm.frontend.plugins.cms.admin.password.validation.IsNoPreviousPasswordValidator
    Description: Password should not be the same as N previous passwords
    Optional: no

    • numberOfPreviousPasswords (Long)

  • org.hippoecm.frontend.plugins.cms.admin.password.validation.MinimalLengthPasswordValidator
    Description: Password should be at least N characters long
    Optional: no

    • minimallength (Long)

Password Expiration

In order to force users to update their passwords regularly, it is possible to inform users that their password is about to expire by configuring the change password shortcut plugin. In the plugin configuration at


the property passwordexpirationnotificationdays indicates how many days in advance the user should be notified that his password will expire. The default value is 3 days. During that period, a message is displayed on the dashboard showing how much time is left.

The repository can be configured to automatically disable user accounts based on the last modified time of the password. This is done by setting the property  hipposys:passwordmaxagedays on the node /hippo:configuration/hippo:security. When a password is changed through the CMS, the hipposys:user node will get an additional property passwordlastmodified. From that moment on, the expiration date will be checked when the user logs in. If the password is expired the user will be inactivated and thereby prevented from logging in.

Note that passwords do not expire for system users. For instance, if system users were to be automatically locked out because of expired passwords, the site would stop working unexpectedly when that happens to the user dedicated to rendering the site. Do realise that such users are not prevented from logging in to the repository programmatically for instance over RMI.

Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?