Skip to main content

Passwords

This page covers how passwords work in Atrium when using the built-in identity provider. If your tenant uses an external identity provider (Entra ID, Okta, Google Workspace), passwords are managed by that provider — this page doesn't apply.

Password policy

Atrium enforces a single rule: passwords must be at least 10 characters long. There are no complexity requirements (uppercase, special characters, etc.) — research consistently shows that length is more effective than complexity rules for password security.

There is no maximum length limit. Passwords are hashed using argon2id, which handles arbitrarily long inputs securely.

First login and must-change-password

When a Tenant-Admin creates a new user account or resets a user's password, the account is flagged with must_change_password. On the user's next login, they are prompted to set a new password before they can access the application.

This ensures that initial or reset passwords (which the admin knows) are replaced with a password only the user knows.

Changing your password

Users can change their own password from their account settings:

  1. Navigate to your account settings.
  2. Enter your current password.
  3. Enter and confirm your new password (minimum 10 characters).
  4. Save.

The password change takes effect immediately. Existing sessions remain valid until their access tokens expire (up to 15 minutes).

Password reset (admin-initiated)

Tenant-Admins can reset any user's password:

  1. Navigate to Settings → Users and select the user.
  2. Initiate a password reset.
  3. Set a temporary password.
  4. Communicate the temporary password to the user through a secure channel.
  5. The user will be required to change the password on their next login.

There is no self-service "forgot password" email flow in the current version when using the built-in IdP. Password resets are admin-initiated.

Password hashing

Passwords are hashed with argon2id — the current recommendation for password hashing. The hashing parameters (memory cost, time cost, parallelism) are configurable for self-hosted deployments running on resource-constrained hardware. The defaults are chosen for security on modern server hardware.

Atrium never stores or displays plain-text passwords. Password hashes are stored in a dedicated credentials table, separate from the user profile table.