Require Minimum and Maximum Password Length

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Require Minimum and Maximum Password Length

    This guidance helps ServiceNow customers configure password policies to enforce minimum and maximum password lengths that comply with security standards and reduce brute force attack risks. Specifically, it aligns with NIST 800-63B recommendations by requiring passwords to be at least 15 characters and no longer than 64 characters.

    Show full answer Show less

    Key Features

    • Password Credential Stores: Each password credential store record in the pwdcredstore table must have the Enable password policy field activated to apply password policies.
    • Password Policy Configuration: Navigate to the referenced passwordpolicy record to set:
      • Minimum Password Length to at least 15 characters.
      • Maximum Password Length to at least 64 characters.
    • Default and Fallback Values: Defaults are 8 for minimum and 100 for maximum password length; these should be updated to meet the stated requirements.
    • Security Compliance: Enforcing these lengths helps avoid compliance issues and mitigates the risk of successful brute force password attacks.

    Key Outcomes

    • Ensures password policies are consistently enforced across all credential stores on your instance.
    • Improves security posture by requiring stronger password lengths aligned with industry standards.
    • Maintains functional stability with no negative impact on instance operations when enforcing these password lengths.

    Set minimum and maximum password lengths to avoid compliance issues and reduce the risk of a successful brute force attack

    Password policies define the requirements for passwords your users create on your instance. The password length must fall within the range accepted by the NIST 800-63B document.

    Ensure that a password policy is being enforced for each password credential store in use on your instance. Ensure that the password policy mandates a minimum password length of at least 15 characters and maximum password length of at least 64 characters.

    For each password credential store record in the Password Reset Credential Stores [pwd_cred_store] table:
    1. Ensure that a password policy is being enforced for each password credential store in use on your instance:

      For each password credential store record in the Password Reset Credential Stores [pwd_cred_store] table, ensure that Enable password policy field is activated.

    2. Ensure that the password policy mandates a minimum password length of at least 15 characters and maximum password length of at least 64 characters.

      Navigate to the Password Policy [password_policy] record referenced in the record's Password policy field. Ensure that the Minimum Password Length field is set to at least 15 and Maximum Password Length field is set to at least 64.

    3. Further instructions on configuring a password policy can be in the documentation: Enable password policies on your instance

    Further instructions on configuring a password policy, see Enable password policies on your instance.

    More information

    Attribute Description
    Configuration name
    • Password Reset Credential Store [pwd_cred_store] table
    • Password Policy [password_policy]
    Configuration type
    • Table records
    • Table records
    Data type
    • Boolean
    • Integer
    Recommended value
    • The Enable password policy field on each Password Reset Credential Stores [pwd_cred_store] record must be activated(true).
    • The Minimum Password Length on the associated Password Policy [password_policy] record must be at least 15.
    • The Maximum Password Length on the associated Password Policy [password_policy] record must be at least 64.
    Default value
    • The Minimum Password Length on Password Policy [password_policy] records is 8 by default.
    • The Maximum Password Length on Password Policy [password_policy] records is 100 by default.
    Fallback value
    • The fallback value of Minimum Password Length on Password Policy [password_policy] records is 8.
    • The fallback value of Maximum Password Length on Password Policy [password_policy] record is 100.
    Category Authentication
    Security risk
    • Severity score: 5.9
    • CVSS score: Medium
    • Security risk details: Allowing passwords that are too short or not long enough could lead to compliance issues and increases the risk of an attacker successfully brute forcing passwords.
    Functional impact Instances do not suffer any impact from a minimum password length of 15 or maximum password length of 64.
    Dependencies and prerequisites None