What are LUSID's password policies?

Updated
  • Updated on May 23, 2025
  • Published on Aug 20, 2024
Prev Next

LUSID has separate password policies for personal and for service users, but out-of-the-box the requirements are the same:

  • Passwords must have a minimum of 12 characters.

  • Passwords must include a mix of letters, numbers, uppercase and lowercase characters, and symbols.

  • Passwords cannot contain part of the username.

  • Accounts are locked after 10 unsuccessful attempts.

  • Passwords do not expire.

Note: A personal user must set up at least one multi-factor authentication method in addition to their password.

You can call the UpdatePasswordPolicy API to change most aspects of the password policy for personal users, service users, or both. Note you cannot change the requirement to include a mix of letters, numbers, uppercase and lowercase characters, and symbols.

For example, to configure the password policy for personal users (specified in the URL) to mandate that passwords expire after 30 days:

curl -X POST 'https://<your-domain>.lusid.com/identity/api/authentication/password-policy/Personal'
   -H 'Authorization: Bearer <your-API-access-token>'
   -H 'Content-Type: application/json-patch+json'
   -d '{
  "conditions": {
    "complexity": {
      "minLength": 12,             <-- Must be between 12 and 30
      "excludeFirstName": true,    <-- false allows first names in passwords
      "excludeLastName": true      <-- false allows last names in passwords
    },
    "age": {
      "maxAgeDays": 30,            <-- 0 means passwords never expire
      "historyCount": 4            <-- Between 0 and 30 passwords must be unique before one can be re-used
    },
    "lockout": {
      "maxAttempts": 10            <-- O means unlimited incorrect attempts allowed (max 100)
    }
  }
}'
JSON

To examine the password policy currently in place for personal users or for service users, call the GetPasswordPolicy API.