<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=16555) </details> <!--IssueSummary end--> ### Description If we want to increase our security policy, there is only way to configure password length limit and add 2-factor authentication. But some users never change their password which is setting on first log in Gitlab. That kind of users are vulnerable to security. ### Proposal * Allow an admin to set a password expiration policy at the instance level. * An admin should be able to specify that passwords expire every X days. * A user using a password should receive an email notifying them that their password has expired. * We can consider using the "reset password" flow to create a new password. * Previously used passwords shouldn't be valid. ### Links / references ### Current NIST Guidelines Also, I want to pass along the most recent password change guidelines from NIST (Sept 2021): > How Often Should You Change Your NIST Password? Contrary to popular belief and prior standards, NIST does not suggest changing passwords on a frequent basis; individuals who are asked to change passwords frequently are much more likely to keep an old password and merely append a number, letter, or special character to the end of it. Professional hackers know this trick and are savvy enough to predict minor changes. If you have a data breach or you know your password has been compromised, then it is time for a password change; otherwise, an annual password reset is enough.