Force Password complexity for userpass auth method

we’re searching for a way to force password complexity policies for users’ passwords created via the userpass auth method.

I’m aware of password policies but this seems to only support a few secret engines and I don’t see any way to integrate password policies with the userpass module.

Regardless of other means to increase security like MFA integration, I’m wondering if there is a way to force some password policy that I miss or if is this really not possible to do.

So the main questions I have are:

  1. Is it possible (and how) to force a complex password for users created via the userpass auth module?
  2. Does the Enterprise Vault version have a solution for this use case?


In general I wouldn’t recommend the use of the userpass auth engine. While it does work it is pretty basic, and I don’t think it will be enhanced too extensively (as that isn’t really in scope for Vault). Instead I’d suggest at using a “real” user management system, which might have complexity settings, update workflows, self-service, MFA, group management, etc. which you’d then integrate with Vault using the LDAP or OAuth auth engines.

Thanks @stuart-c ! just to make sure, while both of us agree that this is not the recommended way or even the best way to force password complexity in Vault I do want to try and verify a definitive answer if this is possible (while not recommended) or impossible to do?
Also, do you know if the enterprise version allows for such settings without external user management and regardless of MFA?