PasswordRequirements

  • PasswordRequirements define the criteria for the password used to unlock a device, including minimum length, required character types, history length, and failed attempts before wiping.

  • ThepasswordQuality setting specifies the required complexity of the password, with options ranging from no requirements to complex alphanumeric combinations or specific complexity bands.

  • RequirePasswordUnlock controls how long alternative authentication methods can be used after a strong authentication before a password, PIN, or pattern is required again.

  • UnifiedLockSettings manages whether a single lock can be used for both the device and the work profile on compatible devices.

Requirements for the password used to unlock a device.

JSON representation
{"passwordMinimumLength":integer,"passwordMinimumLetters":integer,"passwordMinimumLowerCase":integer,"passwordMinimumNonLetter":integer,"passwordMinimumNumeric":integer,"passwordMinimumSymbols":integer,"passwordMinimumUpperCase":integer,"passwordQuality":enum (PasswordQuality),"passwordHistoryLength":integer,"maximumFailedPasswordsForWipe":integer,"passwordExpirationTimeout":string,"passwordScope":enum (PasswordPolicyScope),"requirePasswordUnlock":enum (RequirePasswordUnlock),"unifiedLockSettings":enum (UnifiedLockSettings)}
Fields
passwordMinimumLength

integer

The minimum allowed password length. A value of 0 means there is no restriction. Only enforced whenpasswordQuality isNUMERIC,NUMERIC_COMPLEX,ALPHABETIC,ALPHANUMERIC, orCOMPLEX.

passwordMinimumLetters

integer

Minimum number of letters required in the password. Only enforced whenpasswordQuality isCOMPLEX.

passwordMinimumLowerCase

integer

Minimum number of lower case letters required in the password. Only enforced whenpasswordQuality isCOMPLEX.

passwordMinimumNonLetter

integer

Minimum number of non-letter characters (numerical digits or symbols) required in the password. Only enforced whenpasswordQuality isCOMPLEX.

passwordMinimumNumeric

integer

Minimum number of numerical digits required in the password. Only enforced whenpasswordQuality isCOMPLEX.

passwordMinimumSymbols

integer

Minimum number of symbols required in the password. Only enforced whenpasswordQuality isCOMPLEX.

passwordMinimumUpperCase

integer

Minimum number of upper case letters required in the password. Only enforced whenpasswordQuality isCOMPLEX.

passwordQuality

enum (PasswordQuality)

The required password quality.

passwordHistoryLength

integer

The length of the password history. After setting this field, the user won't be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.

maximumFailedPasswordsForWipe

integer

Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.

passwordExpirationTimeout

string (Duration format)

Password expiration timeout.

A duration in seconds with up to nine fractional digits, ending with 's'. Example:"3.5s".

passwordScope

enum (PasswordPolicyScope)

The scope that the password requirement applies to.

requirePasswordUnlock

enum (RequirePasswordUnlock)

The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.

unifiedLockSettings

enum (UnifiedLockSettings)

Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This can be set only ifpasswordScope is set toSCOPE_PROFILE, the policy will be rejected otherwise. If user has not set a separate work lock and this field is set toREQUIRE_SEPARATE_WORK_LOCK, aNonComplianceDetail is reported withnonComplianceReason set toUSER_ACTION.

PasswordQuality

Password quality requirements.

Note:

  • Complexity-based requirements areCOMPLEXITY_LOW,COMPLEXITY_MEDIUM andCOMPLEXITY_HIGH.
  • An instance ofPasswordRequirements is said to be device-scoped if it haspasswordScope set toSCOPE_DEVICE.
  • An instance ofPasswordRequirements is said to be profile-scoped if it haspasswordScope set toSCOPE_PROFILE.
  • An instance ofPasswordRequirements is said to be complexity-based (respectively, non-complexity-based) if it haspasswordQuality set to a complexity-based (respectively, non-complexity-based) value.
  • For each scope, if a complexity-based element is present, a non-complexity-based element must also be present for the same scope.
  • If a profile-scoped complexity-based element is present and device-scoped elements are present, then both device-scoped complexity-based and device-scoped non-complexity based elements must be present.
  • If there are profile-scoped elements with both complexity-based and non-complexity-based values (in this case the device-scoped elements must not be present or must have both complexity-based and non-complexity-based values as well), then the respective complexity-based values apply to devices with work profiles on Android 12 and above for both scopes, and the respective non-complexity-based values apply on all other devices.
  • If there are device-scoped elements with both complexity-based and non-complexity-based values but no profile-scoped elements are present, then complexity-based value applies to personally owned work profile devices on Android 12 and above, and only the non-complexity-based value applies on all other devices.
  • A non-complexity-based device-scoped requirement applied on personally owned work profile devices on Android 12 and above will be treated as the next strictest complexity-based requirement for application. This may lead to a slight discrepancy between the requested requirements and the applied requirements.
  • SeeappliedPasswordPolicies for which password requirements are actually taking effect on the device.
  • Refer to thePasswordQuality guide for more details on howPasswordRequirements instances are chosen to be applied based on the management mode.
Enums
PASSWORD_QUALITY_UNSPECIFIEDThere are no password requirements.
BIOMETRIC_WEAK

The device must be secured with a low-security biometric recognition technology, at minimum. This includes technologies that can recognize the identity of an individual that are roughly equivalent to a 3-digit PIN (false detection is less than 1 in 1,000).

This, when applied on personally owned work profile devices on Android 12 device-scoped, will be treated asCOMPLEXITY_LOW for application. SeePasswordQuality for details.

SOMETHING

A password is required, but there are no restrictions on what the password must contain.

This, when applied on personally owned work profile devices on Android 12 device-scoped, will be treated asCOMPLEXITY_LOW for application. SeePasswordQuality for details.

NUMERIC

The password must contain numeric characters.

This, when applied on personally owned work profile devices on Android 12 device-scoped, will be treated asCOMPLEXITY_MEDIUM for application. SeePasswordQuality for details.

NUMERIC_COMPLEX

The password must contain numeric characters with no repeating (4444) or ordered (1234, 4321, 2468) sequences.

This, when applied on personally owned work profile devices on Android 12 device-scoped, will be treated asCOMPLEXITY_MEDIUM for application. SeePasswordQuality for details.

ALPHABETIC

The password must contain alphabetic (or symbol) characters.

This, when applied on personally owned work profile devices on Android 12 device-scoped, will be treated asCOMPLEXITY_HIGH for application. SeePasswordQuality for details.

ALPHANUMERIC

The password must contain both numeric and alphabetic (or symbol) characters.

This, when applied on personally owned work profile devices on Android 12 device-scoped, will be treated asCOMPLEXITY_HIGH for application. SeePasswordQuality for details.

COMPLEX

The password must meet the minimum requirements specified inpasswordMinimumLength,passwordMinimumLetters,passwordMinimumSymbols, etc. For example, ifpasswordMinimumSymbols is2, the password must contain at least two symbols.

This, when applied on personally owned work profile devices on Android 12 device-scoped, will be treated asCOMPLEXITY_HIGH for application. In this case, the requirements inpasswordMinimumLength,passwordMinimumLetters,passwordMinimumSymbols, etc are not applied. SeePasswordQuality for details.

COMPLEXITY_LOW

Define the low password complexity band as:

  • pattern
  • PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences

This sets the minimum complexity band which the password must meet.

Enforcement varies among different Android versions, management modes and password scopes. SeePasswordQuality for details.

COMPLEXITY_MEDIUM

Define the medium password complexity band as:

  • PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 4
  • alphabetic, length at least 4
  • alphanumeric, length at least 4

This sets the minimum complexity band which the password must meet.

Enforcement varies among different Android versions, management modes and password scopes. SeePasswordQuality for details.

COMPLEXITY_HIGH

Define the high password complexity band as:

On Android 12 and above:

  • PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 8
  • alphabetic, length at least 6
  • alphanumeric, length at least 6

This sets the minimum complexity band which the password must meet.

Enforcement varies among different Android versions, management modes and password scopes. SeePasswordQuality for details.

RequirePasswordUnlock

The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.

Enums
REQUIRE_PASSWORD_UNLOCK_UNSPECIFIEDUnspecified. Defaults to USE_DEFAULT_DEVICE_TIMEOUT.
USE_DEFAULT_DEVICE_TIMEOUTThe timeout period is set to the device’s default.
REQUIRE_EVERY_DAYThe timeout period is set to 24 hours.

UnifiedLockSettings

Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This has no effect on other devices.

Enums
UNIFIED_LOCK_SETTINGS_UNSPECIFIEDUnspecified. Defaults toALLOW_UNIFIED_WORK_AND_PERSONAL_LOCK.
ALLOW_UNIFIED_WORK_AND_PERSONAL_LOCKA common lock for the device and the work profile is allowed.
REQUIRE_SEPARATE_WORK_LOCKA separate lock for the work profile is required.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-03 UTC.