Password complexity rules
Please note the guidelines in our PLCnext Technology ‑ Security Info Center.For developing secure-by-design, IEC 62443‑2 compliant applications with PLCnext Technology, get a good grasp of the concepts used in the Security context.
User authentication usually requires a set of restrictions as to how long and complex a password needs to be and which characters a user can choose. With the security demand of periodical changes, the expiration of passwords need to be defined.
- See the User Authentication WBM topic or the User management WBM 2 topic for the general handling of users rights and roles.
- See the Authentication failure handling topic for more background on general restrictions that can cause problems.
From firmware 2022.0 LTS or newer the password policy also depends on rulesets so different settings can be administered for different contexts easily.
Firmware from 2025.0
Two sets of password complexity rules are predefined and depend on the user roles. You may need to adjust the rulesets to meet the needs of your application. We advise that the user roles Admin, SecurityEngineer, SecurityAuditor, CertificateManager, UserManager, and Engineer have the "Admin ruleset" by default. All other user roles may have the "Default ruleset" by default.
- Adapt the ruleset to the conditions of your application.
- Apply a ruleset to each user role.
Secure-by-default devices or
first generation of PLCnext Control devices with activated Security Profile
Password complexity rules
| Setting | Explanation | Admin ruleset | Default ruleset |
| Minimum characters count | Number of characters a new password must at least contain in general. | 10 | 8 |
| Minimum ASCII characters count | Number of ASCII letters a new password must at least contain. | 2 | 2 |
| Minimum mixed letters count | Number of letters that must be specified as lowercase letters and as uppercase letters respectively (concerns a-z respectively A-Z of the basic ASCII table). | 1 | 1 |
| Minimum numbers count | Number count a new password must at least contain. | 1 | 1 |
| Minimum special characters count | Number of special characters a new password must at least contain. | 1 | 0 |
| Allowed special characters | ASCII special characters that are allowed for the special character count rule. | {}()[]#,;.:^?!| |
{}()[]#,;.:^?!| |
| Block username | A new password must not contain the username. | enabled | enabled |
| Block reused passwords | A repeated password will be blocked on next set attempt. | enabled | enabled |
| Password reuse | Defines how many previously used passwords are checked, in order to prevent their reuse. | 5 | 5 |
| Check block list | A new password must not contain a phrase from the blocklist. | disabled | disabled |
Password interval rules
| Setting | Explanation | Admin ruleset | Default ruleset |
| Password interval rules | Number of allowed password changes per interval. | disabled | disabled |
| Password changes per interval | Number of allowed password changes per interval. | 0 | 3 |
| Password change interval | Limitation of password changes within this time interval. | 0 Days | 1 Day(s) |
Password expiration rules
| Setting | Explanation | Admin ruleset | Default ruleset |
| Password expiration rules | The password expiration rules are applied in the system. | disabled | disabled |
| User lock is active | The password expiration rules are applied in the system. | disabled | disabled |
| Days until expiration | Number of days that may pass before the current password expires. | 120 | 240 |
| Days until warning | Number of days before the password expires on which a warning is displayed to the user to change the current password. | 30 | 30 |
First generation of PLCnext Control devices with deactivated Security Profile
Password complexity rules
| Setting | Explanation | Admin ruleset | Default ruleset |
| Minimum characters count | Number of characters a new password must at least contain in general. | 10 | 6 |
| Minimum ASCII characters count | Number of ASCII letters a new password must at least contain. | 2 | 0 |
| Minimum mixed letters count | Number of letters that must be specified as lowercase letters and as uppercase letters respectively (concerns a-z respectively A-Z of the basic ASCII table). | 1 | 0 |
| Minimum numbers count | Number count a new password must at least contain. | 1 | 0 |
| Minimum special characters count | Number of special characters a new password must at least contain. | 1 | 0 |
| Allowed special characters | ASCII special characters that are allowed for the special character count rule. | {}()[]#,;.:^?!| |
{}()[]#,;.:^?!| |
| Block username | A new password must not contain the username. | enabled | disabled |
| Block reused passwords | A repeated password will be blocked on next set attempt. | enabled | disabled |
| Password reuse | Defines how many previously used passwords are checked, in order to prevent their reuse. | 5 | 0 |
| Check block list | A new password must not contain a phrase from the blocklist. | disabled | disabled |
Password interval rules
| Setting | Explanation | Admin ruleset | Default ruleset |
| Password interval rules | Number of allowed password changes per interval. | disabled | disabled |
| Password changes per interval | Number of allowed password changes per interval. | 3 | 3 |
| Password change interval | Limitation of password changes within this time interval. | 3 Days | 1 Day(s) |
Password expiration rules
| Setting | Explanation | Admin ruleset | Default ruleset |
| Password expiration rules | The password expiration rules are applied in the system. | disabled | disabled |
| User lock is active | The password expiration rules are applied in the system. | disabled | disabled |
| Days until expiration | Number of days that may pass before the current password expires. | 120 | 120 |
| Days until warning | Number of days before the password expires on which a warning is displayed to the user to change the current password. | 7 | 7 |
Firmware 2022.0 LTS up to 2024.6
First generation of PLCnext Control devices with activated Security Profile
Password complexity rules
| Setting | Explanation | Admin ruleset | Default ruleset |
| Minimum characters count | Number of characters a new password must at least contain in general. | 10 | 8 |
| Minimum ASCII characters count | Number of ASCII letters a new password must at least contain. | 2 | 2 |
| Minimum mixed letters count | Number of letters that must be specified as lowercase letters and as uppercase letters respectively (concerns a-z respectively A-Z of the basic ASCII table). | 1 | 1 |
| Minimum numbers count | Number count a new password must at least contain. | 1 | 1 |
| Minimum special characters count | Number of special characters a new password must at least contain. | 1 | 0 |
| Allowed special characters | ASCII special characters that are allowed for the special character count rule. | {}()[]#,;.:^?!| |
{}()[]#,;.:^?!| |
| Block username | A new password must not contain the username. | enabled | enabled |
| Block reused passwords | A repeated password will be blocked on next set attempt. | enabled | enabled |
| Password reuse | Defines how many previously used passwords are checked, in order to prevent their reuse. | 5 | 5 |
| Check block list | A new password must not contain a phrase from the blocklist. | disabled | disabled |
Password interval rules
| Setting | Explanation | Admin ruleset | Default ruleset |
| Password interval rules | Number of allowed password changes per interval. | disabled | disabled |
| Password changes per interval | Number of allowed password changes per interval. | 0 | 3 |
| Password change interval | Limitation of password changes within this time interval. | 0 Days | 1 Day(s) |
Password expiration rules
| Setting | Explanation | Admin ruleset | Default ruleset |
| Password expiration rules | The password expiration rules are applied in the system. | disabled | disabled |
| User lock is active | The password expiration rules are applied in the system. | disabled | disabled |
| Days until expiration | Number of days that may pass before the current password expires. | 120 | 240 |
| Days until warning | Number of days before the password expires on which a warning is displayed to the user to change the current password. | 30 | 30 |
First generation of PLCnext Control devices with deactivated Security Profile
Password complexity rules
| Setting | Explanation | Admin ruleset | Default ruleset |
| Minimum characters count | Number of characters a new password must at least contain in general. | 10 | 8 |
| Minimum ASCII characters count | Number of ASCII letters a new password must at least contain. | 2 | 2 |
| Minimum mixed letters count | Number of letters that must be specified as lowercase letters and as uppercase letters respectively (concerns a-z respectively A-Z of the basic ASCII table). | 1 | 1 |
| Minimum numbers count | Number count a new password must at least contain. | 1 | 1 |
| Minimum special characters count | Number of special characters a new password must at least contain. | 1 | 0 |
| Allowed special characters | ASCII special characters that are allowed for the special character count rule. | {}()[]#,;.:^?!| |
{}()[]#,;.:^?!| |
| Block username | A new password must not contain the username. | enabled | enabled |
| Block reused passwords | A repeated password will be blocked on next set attempt. | enabled | enabled |
| Password reuse | Defines how many previously used passwords are checked, in order to prevent their reuse. | 5 | 5 |
| Check block list | A new password must not contain a phrase from the blocklist. | disabled | disabled |
Password interval rules
| Setting | Explanation | Admin ruleset | Default ruleset |
| Password interval rules | Number of allowed password changes per interval. | disabled | disabled |
| Password changes per interval | Number of allowed password changes per interval. | 0 | 3 |
| Password change interval | Limitation of password changes within this time interval. | 0 Days | 1 Day(s) |
Password expiration rules
| Setting | Explanation | Admin ruleset | Default ruleset |
| Password expiration rules | The password expiration rules are applied in the system. | disabled | disabled |
| User lock is active | The password expiration rules are applied in the system. | disabled | disabled |
| Days until expiration | Number of days that may pass before the current password expires. | 120 | 240 |
| Days until warning | Number of days before the password expires on which a warning is displayed to the user to change the current password. | 30 | 30 |
• Published/reviewed: 2026-01-29 ☃ Revision 088 •