# Password restrictions

It is possible to enforce password restrictions on user accounts when using the native Overleaf login system for authentication.

{% hint style="info" %}
It is **not** possible to enforce password restrictions for SSO (LDAP/SAML 2.0) logins. These must be configured in your Identity Provider (IdP).
{% endhint %}

To do so, you'll need to set the relevant environment variable in the Toolkits **config/variables.env** file.

| Name                                      | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `OVERLEAF_PASSWORD_VALIDATION_MIN_LENGTH` | <p>The <strong>minimum</strong> length required<br><br><strong>Default:</strong> 8</p>                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| `OVERLEAF_PASSWORD_VALIDATION_MAX_LENGTH` | <p>The <strong>maximum</strong> length allowed<br><br><strong>Default:</strong> 72</p>                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| `OVERLEAF_PASSWORD_VALIDATION_PATTERN`    | <p>Used to validate password <strong>strength</strong>:</p><ul><li><code>abc123</code> – password requires 3 letters and 3 numbers and be at least 6 characters long</li><li><code>aA</code> – password requires lower and uppercase letters and be 2 characters long</li><li><code>ab$3</code> – it must contain letters, digits and symbols and be 4 characters long</li><li>There are 4 groups of characters: letters, UPPERcase letters, digits, symbols. Everything that is neither letter, nor digit is considered to be a symbol.</li></ul> |