3.5 KiB
stage | group | info |
---|---|---|
Manage | Authentication and Authorization | To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments |
User passwords (FREE)
If you use a password to sign in to GitLab, a strong password is very important. A weak or guessable password makes it easier for unauthorized people to log into your account.
Some organizations require you to meet certain requirements when choosing a password.
Improve the security of your account with two-factor authentication
Choose your password
You can choose a password when you create a user account.
If you register your account using an external authentication and authorization provider, you do not need to choose a password. GitLab sets a random, unique, and secure password for you.
Change your password
You can change your password. GitLab enforces password requirements when you choose your new password.
- On the top bar, in the top-right corner, select your avatar.
- Select Edit profile.
- On the left sidebar, select Password.
- In the Current password text box, enter your current password.
- In the New password and Password confirmation text box, enter your new password.
- Select Save password.
If you don't know your current password, select the I forgot my password link. A password reset email is sent to the account's primary email address.
Password requirements
Your passwords must meet a set of requirements when:
- You choose a password during registration.
- You choose a new password using the forgotten password reset flow.
- You change your password proactively.
- You change your password after it expires.
- An an administrator creates your account.
- An administrator updates your account.
By default GitLab enforces the following password requirements:
- Minimum and maximum password lengths. For example, see the settings for GitLab.com.
- Disallowing weak passwords.
Self-managed installations can configure the following additional password requirements:
Block weak passwords
- Introduced in GitLab 15.4 with a flag named
block_weak_passwords
, weak passwords aren't accepted. Disabled by default on self-managed.- Enabled on GitLab.com.
FLAG:
On self-managed GitLab, by default blocking weak passwords is not available. To make it available, ask an administrator
to enable the feature flag named block_weak_passwords
. On GitLab.com, this
feature is available but can be configured by GitLab.com administrators only.
GitLab disallows weak passwords. Your password is considered weak when it:
- Matches one of 4500+ known, breached passwords.
- Contains part of your name, username, or email address.
- Contains a predictable word (for example,
gitlab
ordevops
).
Weak passwords are rejected with the error message: Password must not contain commonly used combinations of words and letters.