Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


SettingProperty NameDescription
Password Complexity

This is a regular expression that controls what passwords will be considered sufficiently complex. When users register or change their password, they are required to choose a password that matches this regular expression. If their new password does not match the regular expression, they will be prompted to choose a new one.

By default this regular expression is set to ^.*$, which will match any password String. If you want to require that users choose more complicated passwords, you can change this to whatever Java regular expression you like. 

For example, this regex requires a password of at least 8 characters, with upper and lower case, a number, and a non-numeric symbol: 

Password Complexity Message

This is the message that users will receive if they try to choose a new password that does not match the Password Complexity regular expression. By default this is set to 'Password is not sufficiently complex.', but you may want to change this to include a description of what is needed to satisfy the regular expression. For example, you may want this message to be 'Passwords must be at least 8 characters long and contain at least one digit'.

Password Expiration

This set of radio buttons controls password expiration. This setting can be set to:

  • Disabled: Passwords will never expire and users can continue to use the same passwords for as long as the site exists
  • Interval: Passwords expire after a specified interval of time
  • Date: Any passwords that were last changed before the specified date will be considered expired

This setting exposes related settings, as defined below

Password Expiration (Interval)


This setting is only used if Password Expiration is set to "Interval". It represents the interval of time after which unchanged passwords expire and users have to change them.

By default this interval is set to '1 year', which means that users can continue using their password for a year before being required to change it. Having a short expiration interval can help protect against people who find someone's old password (e.g. if a user's password is included in requests which get written to a log file that a malicious user gets access to) by making it less likely that their old password is still valid. However, the risk of a short interval is that it can lead to people writing down their passwords or choosing new passwords that are nearly identical to their old passwords.


This setting uses PostgreSQL interval notation (e.g. '1 day', '3 hours', '5 weeks', '1 year').

Password Expiration (Date)


This setting is only used if Password Expiration is set to "Date". It represents the interval of time after which unchanged passwords expire and users have to change them.

This can be useful when upgrading from an old version of XNAT to ensure that user passwords are stored with the latest security improvements. It can also be useful to expire by date if there is concern that malicious users might have been able to get access to passwords before that date (e.g. if  before a certain date you had been writing user passwords to log files which were archived in an unsecure place).

Password Reuse Restriction

This is what determines whether users are able to reuse old passwords. If set to 'None', then users will be able to reuse passwords they have used previously without any restrictions. If set to 'Historical', then users will be unable to change their password to a password that had been used within the time period specified in the Password History preference.

Password History

This setting is only used if Password History is set to "Historical".

This is the period of time for which users cannot reuse passwords. By default the Interval is set to '1 year', so users cannot change their password to any password they used in the last year. Once it has been a year since they used a given password, they can use it again.


This setting uses PostgreSQL interval notation (e.g. '1 day', '3 hours', '5 weeks', '1 year').

Require Passwords To Be Salted

This controls whether users whose passwords are not currently salted in the database will need to change their password.

Whenever users register or change their password, their passwords will be salted and then hashed before being stored in the database. However, when migrating users from earlier versions of XNAT, there may be some users who have not changed their password since XNAT started salting all passwords. If this setting is set to 'Required', these users will be required to change their password when they first log in. In addition, the default XNAT admin user, 'admin', does not have a salted password, so if this is set to 'Required', the admin will have to change their password (which they should be doing anyway). Having all user passwords be salted makes it harder for a user to discover what a user's password is, even if they have access to the users database table.