Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Adobe Summit 2023 [19th to 23rd March, Las Vegas and Virtual] | Complete AEM Session & Lab list

AEM User password policy


Level 4

AEM 6.5.4 -

I was looking for a guide/ sample on User password management. Found reference to 6.1 and even 5.x version, some no longer available, is there something more current?


1. configuring the user password policy

a. Max age allowed for a password

b. How many characters

c. Password Complexity rules

d. How often you can repeat your password

e. Disable user after x number of failed tries



2. Through servlets/models have back-end functions that will be called from our own site pages

a. Forgot my UserID

b. Forgot my password

c. Validate complexity and the updated password

d. Reset password

e. Unlock user account


1 Accepted Solution


Correct answer by
Employee Advisor
4 Replies


Correct answer by
Employee Advisor


Level 4
@Mayank_Gandhi, thank you. Let me have a look and see if we can get the answers from there.


Level 4

Some additional comments for others


1. Password complexity: "Apache Jackrabbit Oak AuthorizableActionProvider" ( (


2. for AEM Form on JEE there is a feature to disable user after x number of failed login tries +  second parameter to unlock the account automatically after y number of minutes)


This feature was also requested before for AEM on OSGI see: AEM Account Lockout feature request (

@Mayank_GandhiAny update on the status of this?


As a solution:

There is a suggestion to overwrite the /libs/granite/core/components/login/login.jsp to add a counter to the user Account. See AEM Account lock feature  (

You can then combine this with the "rep:disabled" node under a userAccount to disable the user after x fail tries and either force the user to reset his/her password or write a scheduled job to find and enable these accounts again after x minutes. 


Level 4

To add on, I came across this example that override the /j_security_check. We can look at this and adjust it accordingly to to implement our failed user count. Will try to do this in the coming days.