What does each preset assume?

Basic is a low-friction 8-character minimum with a number required. Standard requires 12 characters and all four character classes with 90-day expiry. Strict raises the minimum to 16, blocks the last 24 passwords, and locks accounts after three failed attempts.

Does longer length really beat forced complexity?

Modern guidance such as NIST SP 800-63B emphasises length and screening against breached passwords over forced symbol mixes, because complexity rules push users toward predictable patterns. The tool lets you favour either approach.

Should passwords expire on a schedule?

Current best practice discourages mandatory periodic expiry unless there is evidence of compromise, since it leads to weaker incremental passwords. Set expiry to 0 to disable scheduled expiry, which Basic does by default.

What is in the JSON config?

The JSON mirrors every setting as machine-readable fields, including minLength, maxLength, the four require flags, disallowReuseLast, expiryDays, maxFailedAttempts, and lockoutMinutes, ready to load into your auth layer.

Is anything sent to a server?

No. The policy is built entirely in your browser from your inputs, so you can iterate freely and nothing leaves your device.

Password Policy Generator

The Password Policy Generator turns a few choices into a complete, consistent password policy — expressed both as plain-English rules for your documentation and as a JSON config your authentication system can consume. It is useful for security teams writing an internal standard or engineers wiring up a sign-up form.

How it works

You start from a preset (Basic, Standard, or Strict) or build a custom policy. Each policy captures the settings real auth systems enforce:

Length — a minimum and maximum character count.
Character classes — independent toggles for lowercase, uppercase, number, and symbol requirements.
History and expiry — how many previous passwords are blocked from reuse, and whether passwords expire after a set number of days.
Lockout — how many failed attempts trigger a lock and for how long.

The tool then renders a bulleted human-readable summary and the equivalent JSON, keeping the two views perfectly in sync as you adjust any field.

Tips and notes

The required-character-class counter shows how many of the four classes are enforced, a quick proxy for complexity.
Following NIST SP 800-63B, favour a longer minimum length and breached-password screening over piling on symbol requirements.
Set expiry to 0 to disable scheduled password rotation, which modern guidance recommends unless a compromise is suspected.
Both outputs copy with one click, so you can drop the text into a policy doc and the JSON straight into your auth configuration.