debian-mirror-gitlab/doc/user/profile/user_passwords.md

---
stage: Manage
group: Authentication and Authorization
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
---

# User passwords **(FREE)**

If you use a password to sign in to GitLab, a strong password is very important. A weak or guessable password makes it
easier for unauthorized people to log into your account.

Some organizations require you to meet certain requirements when choosing a password.

Improve the security of your account with [two-factor authentication](account/two_factor_authentication.md)

## Choose your password

You can choose a password when you [create a user account](account/create_accounts.md).

If you register your account using an external authentication and
authorization provider, you do not need to choose a password. GitLab
[sets a random, unique, and secure password for you](../../security/passwords_for_integrated_authentication_methods.md).

## Change your password

You can change your password. GitLab enforces [password requirements](#password-requirements) when you choose your new
password.

1. On the top bar, in the top-right corner, select your avatar.
1. Select **Edit profile**.
1. On the left sidebar, select **Password**.
1. In the **Current password** text box, enter your current password.
1. In the **New password** and **Password confirmation** text box, enter your new password.
1. Select **Save password**.

If you don't know your current password, select the **I forgot my password** link. A password reset email is sent to the
account's **primary** email address.

## Password requirements

Your passwords must meet a set of requirements when:

- You choose a password during registration.
- You choose a new password using the forgotten password reset flow.
- You change your password proactively.
- You change your password after it expires.
- An an administrator creates your account.
- An administrator updates your account.

By default GitLab enforces the following password requirements:

- Minimum and maximum password lengths. For example,
  see [the settings for GitLab.com](../gitlab_com/index.md#password-requirements).
- Disallowing [weak passwords](#block-weak-passwords).

Self-managed installations can configure the following additional password requirements:

- [Password minimum and maximum length limits](../../security/password_length_limits.md).
- [Password complexity requirements](../admin_area/settings/sign_up_restrictions.md#password-complexity-requirements).

## Block weak passwords

> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/23610) in GitLab 15.4 [with a flag](../../administration/feature_flags.md) named `block_weak_passwords`, weak passwords aren't accepted. Disabled by default on self-managed.
> - [Enabled](https://gitlab.com/gitlab-org/gitlab/-/issues/363445) on GitLab.com.

FLAG:
On self-managed GitLab, by default blocking weak passwords is not available. To make it available, ask an administrator
to [enable the feature flag](../../administration/feature_flags.md) named `block_weak_passwords`. On GitLab.com, this
feature is available but can be configured by GitLab.com administrators only.

GitLab disallows weak passwords. Your password is considered weak when it:

- Matches one of 4500+ known, breached passwords.
- Contains part of your name, username, or email address.
- Contains a predictable word (for example, `gitlab` or `devops`).

Weak passwords are rejected with the error message: **Password must not contain commonly used combinations of words and letters**.
New upstream version 15.5.4+ds1 2022-11-25 23:54:43 +05:30			`---`
			`stage: Manage`
			`group: Authentication and Authorization`
			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments`
			`---`

			`# User passwords (FREE)`

			`If you use a password to sign in to GitLab, a strong password is very important. A weak or guessable password makes it`
			`easier for unauthorized people to log into your account.`

			`Some organizations require you to meet certain requirements when choosing a password.`

			`Improve the security of your account with [two-factor authentication](account/two_factor_authentication.md)`

			`## Choose your password`

			`You can choose a password when you [create a user account](account/create_accounts.md).`

			`If you register your account using an external authentication and`
			`authorization provider, you do not need to choose a password. GitLab`
			`[sets a random, unique, and secure password for you](../../security/passwords_for_integrated_authentication_methods.md).`

			`## Change your password`

			`You can change your password. GitLab enforces [password requirements](#password-requirements) when you choose your new`
			`password.`

			`1. On the top bar, in the top-right corner, select your avatar.`
			`1. Select Edit profile.`
			`1. On the left sidebar, select Password.`
			`1. In the Current password text box, enter your current password.`
			`1. In the New password and Password confirmation text box, enter your new password.`
			`1. Select Save password.`

			`If you don't know your current password, select the I forgot my password link. A password reset email is sent to the`
			`account's primary email address.`

			`## Password requirements`

			`Your passwords must meet a set of requirements when:`

			`- You choose a password during registration.`
			`- You choose a new password using the forgotten password reset flow.`
			`- You change your password proactively.`
			`- You change your password after it expires.`
			`- An an administrator creates your account.`
			`- An administrator updates your account.`

			`By default GitLab enforces the following password requirements:`

			`- Minimum and maximum password lengths. For example,`
			`see [the settings for GitLab.com](../gitlab_com/index.md#password-requirements).`
			`- Disallowing [weak passwords](#block-weak-passwords).`

			`Self-managed installations can configure the following additional password requirements:`

			`- [Password minimum and maximum length limits](../../security/password_length_limits.md).`
			`- [Password complexity requirements](../admin_area/settings/sign_up_restrictions.md#password-complexity-requirements).`

			`## Block weak passwords`

New upstream version 15.6.4+ds1 2023-01-13 00:05:48 +05:30			> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/23610) in GitLab 15.4 [with a flag](../../administration/feature_flags.md) named `block_weak_passwords`, weak passwords aren't accepted. Disabled by default on self-managed.
			`> - [Enabled](https://gitlab.com/gitlab-org/gitlab/-/issues/363445) on GitLab.com.`
New upstream version 15.5.4+ds1 2022-11-25 23:54:43 +05:30
			`FLAG:`
			`On self-managed GitLab, by default blocking weak passwords is not available. To make it available, ask an administrator`
			to [enable the feature flag](../../administration/feature_flags.md) named `block_weak_passwords`. On GitLab.com, this
			`feature is available but can be configured by GitLab.com administrators only.`

			`GitLab disallows weak passwords. Your password is considered weak when it:`

			`- Matches one of 4500+ known, breached passwords.`
			`- Contains part of your name, username, or email address.`
			- Contains a predictable word (for example, `gitlab` or `devops`).

			`Weak passwords are rejected with the error message: Password must not contain commonly used combinations of words and letters.`