# Keycloak # Design # Operation # Understanding Password Policy with Keycloak and LDAP ## Keycloak Password Policy [https://www.keycloak.org/docs/latest/server\_admin/index.html#\_password-policies](https://www.keycloak.org/docs/latest/server_admin/index.html#_password-policies) ### Password Policy at Realm level Keycloak Password Policy has to be configured at realm-level. ### Keycloak Password Policy Types Kecloak provides the following Password Policies: 
Policy Name | Description |
---|---|
Expire Password | The number of days for which the password is valid. After the number of days has expired, the user is required to change their password |
Hashing Iterations | This value specifies the number of times a password will be hashed before it is stored or verified. The default value is 27,500 |
Special Characters | The number of special characters like ‘?!#%$’ required to be in the password string |
Not Recently Used | This policy saves a history of previous passwords. The number of old passwords stored is configurable. When a user changes their password they cannot use any stored passwords |
Uppercase Characters | The number of upper case letters required to be in the password string |
Lowercase Characters | The number of lower case letters required to be in the password string |
Password Blacklist | This policy checks if a given password is contained in a blacklist file, which is potentially a very large file. Password blacklists are UTF-8 plain-text files with Unix line endings where every line represents a blacklisted password. The file name of the blacklist file must be provided as the password policy value, e.g. *10\_million\_password\_list\_top\_1000000.txt*. Blacklist files are resolved against ${jboss.server.data.dir}/password-blacklists/ by default. This path can be customized via the keycloak.password.blacklists.path system property, or the blacklistsPath property of the passwordBlacklist policy SPI configuration |
Minimum Length | The minimum length of a password |
Regular Expression | Define one or more Perl regular expression patterns that passwords must match |
Digits | The number of digits required to be in the password string |
Not Username | When set, the password is not allowed to be the same as the username |
Hashing Algorithm | Passwords are not stored as clear text. Instead they are hashed using standard hashing algorithms before they are stored or validated. The only built-in and default algorithm available is PBKDF2. See the [Server Developer Guide](https://www.keycloak.org/docs/latest/server_development/) on how to plug in your own algorithm. Note that if you do change the algorithm, password hashes will not change in storage until the next time the user logs in |