Everything You Need to Know About Password Policies in ServiceNow

Sandeep_Know24

Platform Security · Authentication

ServiceNow Password Policies — A Complete Guide for Admins

Everything you need to know about configuring, applying, and customizing password policies on your ServiceNow instance — from out-of-the-box presets to fully custom validation scripts.

Introduction to Password Policies

The Password Policy plugin (com.glide.password_policy) is enabled by default. The policy goes into effect when a user changes or resets their password — at that point, the password being set is validated against the rules of the active policy.

Out of the box, the Password Strength Preset field is automatically set to Default Strong. You can leave this default in place, switch to a different preset, or build a fully custom policy with your own scripted rules.

Six Presets

Default, Medium, High, Default Strong, Custom, Advanced.

Length & Complexity

Min/max length, uppercase, lowercase, numeric, special chars.

Excluded Passwords

Block specific passwords using this feature.

Custom Scripts

Write your own regex validation rules.

The Six Built-in Password Strength Presets

When you create or edit a password policy, the Password Strength Preset field auto-populates the complexity fields. Here are the exact specifications for each preset, side-by-side:

Preset	Min Len	Max Len	Upper	Lower	Numeric	Special
Default	8	100	1	1	1	0
Medium	8	100	1	1	1	1
High	8	100	1	2	1	3
Default Strong OOB	8	100	1	1	1	1
Custom	8	100	1	1	1	1
Advanced	Displays Password Rule Script and Password Strength Script — fully script-driven (no standard fields shown).

Special note on Default Strong: When the Password Strength Preset is set to Default Strong, both the Sequence Length Threshold and Repetition Length Threshold are automatically set to 4 characters. These thresholds restrict weak combinations like 123456, qwerty, or aaaaa.

Creating a New Password Policy — Step by Step

Follow these steps to create a new password policy record:

1	Navigate to Password Policies `All > Password Policy > Password Policies`

2	Click New The Password Policy form appears.

3	Specify the Name for your password policy

4	Choose a Password Strength Preset In the Password Policy Criteria section, select one of: Default, Medium, High, Default Strong, Custom, or Advanced.

5	Fill in the remaining fields on the form Configure complexity, included/excluded special characters, the Disallow User Data option, sequence and repetition thresholds, and the test password field. (See Section 4 for full field details.)

Test your password before submitting

Use the Test Your Password field to verify the policy works as intended. Click Test Your Password, and after the password is tested as valid, click Submit.

Password Policy Form Fields Explained

Here's a breakdown of every field you'll see on the Password Policy form:

Field	Description
Minimum Password Length	Minimum length of the password. Displayed for all presets except Advanced. Documentation suggests setting this to a minimum of 8 characters.
Maximum Password Length	Maximum length of the password. Displayed for all presets except Advanced. Documentation indicates setting this to a maximum of 100 characters.
Minimum Uppercase Character(s)	Minimum number of uppercase characters required, from `0` to `10`.
Minimum Lowercase Character(s)	Minimum number of lowercase characters required, from `0` to `10`.
Minimum Numeric Character(s)	Minimum number of numeric digits required, from `0` to `10`.
Minimum Special Character(s)	Minimum number of special characters required, from `0` to `10`.
Included Special Characters	Allows a restricted set of special characters without any delimiter. Example: if you enter `$,!`, users can only use `$` and `!` as special characters in the password.
Excluded Special Characters	Prevents specific special characters from being used. Example: entering `@$!` means users cannot use those characters. Note: Available only if the system property `glide.password_policy.use_excluded_special_char` is enabled.
Disallow User Data	Option to disallow authentication-related user data in the password. Per the field's tooltip, this checks the password against the user's firstname, lastname, username, and company fields.
Sequence Length Threshold	Restricts predictable sequences such as `123456`, `qwerty`, or `!@#$%^`. Maximum threshold value is 8 characters.
Repetition Length Threshold	Restricts repetitive sequences such as `aaaaa`. Maximum threshold value is 8 characters. Both Sequence and Repetition thresholds are automatically set to 4 characters when the preset is Default Strong.
Test Your Password	Allows you to type and validate a password against the rules you've configured before submitting the policy. Always test before saving.

Applying Your Policy to the Instance

Creating a new policy record alone does not make it the active policy. To make a policy take effect on your instance, you need to attach it to a Credential Store.

1	Navigate to Credentials Stores `All > Password Reset > Credentials Stores`

2	Open the credential store record Select the Local ServiceNow Instance record to apply a policy.

Update the Password Policy field

Change the Password Policy field on the credential store to your desired policy record. Save the record.

How to Tell Which Policy Is Active

If you have multiple policy records in your instance (for example, both Default and Medium), you can identify the active one visually:

Active policies are highlighted in green. On the Password Policies list, the currently active policy is highlighted (visible from the San Diego release onwards). If your instance is on Rome or earlier, this visual cue isn't available — instead, check which policy is referenced from the Credential Store.

One Policy Per Instance — Important Scope Note

Per-group password policies are not supported natively

The password policy is for the entire instance — there can only be one.

If you have a requirement to apply different password rules to different users, this is a known limitation. The only way to enforce different rules is at the level of an external identity provider for SSO-authenticated users.

Preventing User Data in Passwords

A common compliance requirement is that passwords must not contain the user's own username or other personal data. ServiceNow provides this natively via the Disallow User Data checkbox on the Password Policy record.

Per the tooltip on this field, when enabled it checks the proposed password against the following user record fields:

First name
Last name
Username
Company

Excluding Specific Passwords

You can block specific passwords from being set, regardless of whether they otherwise meet your complexity rules. ServiceNow stores these in a dedicated table.

Where to Manage Excluded Passwords

Navigate to Password Policy > Excluded Password. Records added here are stored in a table and prevented from being set as user passwords.

Enabling the Validation Check

The system property glide.enable.blacklist_password controls whether the validation is active.

Direct exact-match only: The Excluded Password feature performs direct exact matches against your list. If you need partial-match or substring exclusions (for example, blocking any password that contains the word "admin"), this is best implemented via the Custom or Advanced scripted policy approach (see Section 10).

Custom and Advanced Scripted Policies

For requirements that go beyond the standard fields — such as restricting maximum lowercase characters or excluding passwords containing specific words — use the Custom or Advanced preset and write a scripted policy.

Example: A Custom Password Rule Script

Below is an example of an Advanced password rule script. Each rule has a hint (the message shown to users when the rule fails) and a regex (the validation pattern). Rules are pushed into an array and returned.

// Add rules following this pattern:
// var rule1 = { 'hint': gs.getMessage('Minimum 8 characters'), 'regex': '^.{8,}$' };
// then push rules into the rules array.

(function executePasswordRuleScript() {
 var rules = new Array();

 var rule1 = { 'hint': gs.getMessage('Minimum 9 characters'), 'regex': '^.{9,}$' };
 var rule2 = { 'hint': gs.getMessage('Minimum 1 lowercase character'), 'regex': '((.*?[a-z]).*?)' };
 var rule3 = { 'hint': gs.getMessage('Minimum 1 uppercase character'), 'regex': '((.*?[A-Z]).*?)' };
 var rule4 = { 'hint': gs.getMessage('Minimum 1 number'), 'regex': '((.*?[0-9]).*?)' };
 var rule5 = { 'hint': gs.getMessage('Minimum 1 special character'), 'regex': '((.*?[@$#!%^&*]).*?)' };
 var rule6 = { 'hint': gs.getMessage('Maximum 100 characters'), 'regex': '^.{0,100}$' };
 var rule7 = { 'hint': gs.getMessage('Do not include "foo" or "bar"'), 'regex': '(?i)^((?!foo|bar).)*$' };

 rules.push(rule1, rule2, rule3, rule4, rule5, rule6, rule7);
 return rules;
})();

Use case: Excluding words. Rule 7 above demonstrates how to exclude specific words (here foo and bar) from being included anywhere in the password. The pattern (?i)^((?!word1|word2).)*$ performs a case-insensitive negative lookahead. This behaves differently from the Excluded Password list, which only does direct matches.

Related System Properties

The following system properties influence password policy behavior:

Property	Purpose
`glide.enable.password_policy`	Enables the password policy on the instance.
`glide.apply.password_policy.on_login`	Applies password policy on login (forces non-compliant users to update).
`glide.enable.blacklist_password`	Enables the excluded password validation check.
`glide.password_policy.use_excluded_special_char`	Enables the Excluded Special Characters field on the Password Policy form.
`glide.validate.sys_user.password.field`	Enable to validate the user password against the Password Policy when editing the sys_user form or list view.

If this guide helped you, drop a like below. Got a specific question or scenario? Comment below.