Okta applies new password policy requirements to existing users only after their current password expires or a user initiates a password reset. Modifying a password policy does not immediately log users out or force a password change upon their next login. Administrators modify existing password policies to update settings such as minimum length, complexity requirements, and common password checks. The complexity requirements include lowercase letters, uppercase letters, numbers, and symbols, and prohibit the inclusion of parts of the user's first name, last name, or username.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Password Policy
• End User

When are Okta password policy changes enforced for existing users?

The following details explain how Okta handles password policy modifications for existing accounts:

• After an administrator modifies the password requirements for a password policy, the changes do not immediately impact existing users.
• Okta does not log the users out or force a password change upon immediate login.
• Okta enforces the new password requirements only after the existing password expires or when a user initiates a password reset and requires a new password.

Related References

• Configure a password policy