Password minimum length now configurable
Enterprise customers can now enforce stronger password policies by setting N8N_PASSWORD_MIN_LENGTH, addressing security audit requirements for 50+ bits of password entropy.
n8n deployments can now enforce custom minimum password lengths to meet enterprise security requirements. The new N8N_PASSWORD_MIN_LENGTH environment variable lets organizations configure password policies between 8 and 64 characters, with a default of 8. This matters for security-conscious organizations: a 9-character minimum bumps password entropy from ~47.6 to ~53.6 bits, crossing the 50-bit threshold that many audit frameworks require. The configuration plugs into n8n's existing validation pipeline, so password checks throughout the application automatically respect the new minimum.
View Original GitHub Description
Summary
- Adds
N8N_PASSWORD_MIN_LENGTHenv var to configure minimum password length (default: 8, range: 8–64) - Adds
PasswordConfigto@n8n/configunderUserManagementConfig - Updates
passwordSchemain@n8n/api-typesto read from the env var at startup - No breaking changes — default behavior is unchanged
Context
Enterprise customers require configurable password policies to meet security audit thresholds (50+ bits of entropy). Setting N8N_PASSWORD_MIN_LENGTH=9 achieves ~53.6 bits with the existing character requirements (uppercase + digit).
| Min Length | Entropy (bits) | Meets 50-bit? |
|---|---|---|
| 8 (default) | ~47.6 | No |
| 9 | ~53.6 | Yes |
| 10 | ~59.5 | Yes |
Test plan
- Unit tests for schema with custom env var (12-char min enforced)
- Unit tests for boundary cases (below floor, non-numeric, above max all default to 8)
- Config system test verifies
N8N_PASSWORD_MIN_LENGTHparsed via DI - Existing password schema tests pass unchanged
- Full build passes
- Typecheck passes
🤖 Generated with Claude Code