This section allows you to define password requirements for the local user accounts.


Zammad does not allow you to change your LDAP password, instead, it will set a password in its local database which might confuse your users. This will be addressed in the future by #1169 and #2389.


💪 Exception for strong passwords 💪

Please note that below password policies do not affect administrators setting passwords on user accounts. While this seems strange and not safe we believe that an administrator knowing an user’s password is insecure as well.

The suggested workflow is either:

  • to use third party logins to not require local passwords at all - or -
  • to require your user to reset the password upon first login.

This way administrators are not required to set a user’s password at all!

Maximum failed logins

You can choose a value between 4 and 20. This defines how often a login to a user account may fail until Zammad will lock it. Please note that via UI the only way to unlock a user account is to change the password (either as admin or via password reset function (if enabled)).

The default value is 10.


You can also unlock an account via console or API.

2 lower and 2 upper characters

You can add complexity to passwords by enforcing at least 2 upper and lower case characters.

The default value is no.

Minimum length

This defines the minimum password length required for users to provide (from 4 to 20).

The default value is 6.

Digit required

This enforces your users to use at least one digit within the password.

The default value is yes.