Password Policies
Production - PasswordPolicyService, PasswordExpirationService
Password policies enforce security requirements for user passwords. Each tenant can configure its own policy defining minimum complexity, maximum age, and history constraints.
6.4.12Policy Configuration
The PasswordPolicy entity stores per-tenant password rules:
| Rule | Default | Description |
|---|---|---|
minLength | 8 | Minimum password length |
maxLength | 128 | Maximum password length |
requireUppercase | true | Must contain uppercase letter |
requireLowercase | true | Must contain lowercase letter |
requireDigit | true | Must contain numeric digit |
requireSpecial | true | Must contain special character |
historyCount | 5 | Previous passwords that cannot be reused |
maxAgeDays | 90 | Days before password expiration |
minAgeDays | 1 | Minimum days between changes |
6.4.13Password History
The PasswordHistory table stores hashed versions of previous passwords. When a user changes their password, the service checks the history:
// Check against last N passwords
List<PasswordHistory> history = passwordHistoryRepository
.findTopNByUserIdOrderByCreatedAtDesc(userId, policy.getHistoryCount());
for (PasswordHistory ph : history) {
if (passwordEncoder.matches(newPassword, ph.getPasswordHash())) {
throw new BusinessException("Password was used recently");
}
}6.4.14Password Expiration
The PasswordExpirationService checks whether a user's password has exceeded the maximum age:
user.passwordChangedAttracks when the password was last changed- If
now - passwordChangedAt > maxAgeDays, the user is prompted to change their password - The
PasswordExpirationServicecan be invoked during login to enforce mandatory password rotation
Related Services
| Service | Responsibility |
|---|---|
PasswordService | Password change and reset operations |
PasswordPolicyService | Policy CRUD and validation |
PasswordExpirationService | Expiration checking and enforcement |