User passwords

Tier: Free, Premium, Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

If you use a password to sign in to GitLab, a strong password is very important. A weak or guessable password makes it easier for unauthorized people to sign in to your account.

Some organizations require you to meet certain requirements when choosing a password.

Improve the security of your account with two-factor authentication.

Choose your password

You can choose a password when you create a user account.

If you register your account using an external authentication and authorization provider, you do not need to choose a password. GitLab sets a random, unique, and secure password for you.

Change your password

History

You can change your password. GitLab enforces password requirements when you choose your new password.

Change a known password

On the left sidebar, select your avatar.
Select Edit profile.
On the left sidebar, select Password.
In the Current password text box, enter your current password.
In the New password and Password confirmation text box, enter your new password.
Select Save password.

Change an unknown password

If you do not know your current password, select Forgot your password? from the GitLab sign-in page and complete the form.

If you enter a verified email address for an existing account, GitLab sends a password reset email. If the provided email address isn’t associated with an existing account, no email is sent.

In both situations, you are redirected to the sign-in page and see the following message:

“If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes.”

Your account can have more than one verified email address, and any email address associated with your account can be verified. However, only the primary email address can be used to sign in once the password is reset.

Password requirements

Your passwords must meet a set of requirements when:

You choose a password during registration.
You choose a new password using the forgotten password reset flow.
You change your password proactively.
You change your password after it expires.
An administrator creates your account.
An administrator updates your account.

By default GitLab enforces the following password requirements:

Minimum and maximum password lengths. For example, see the settings for GitLab.com.
Disallowing weak passwords.

Self-managed installations can configure the following additional password requirements:

Block weak passwords

History

GitLab disallows weak passwords. Your password is considered weak when it:

Matches one of 4500+ known, breached passwords.
Contains part of your name, username, or email address.
Contains a predictable word (for example, gitlab or devops).

Weak passwords are rejected with the error message: Password must not contain commonly used combinations of words and letters.

Docs

Edit this page to fix an error or add an improvement in a merge request.

Create an issue to suggest an improvement to this page.

Product

Create an issue if there's something you don't like about this feature.

Propose functionality by submitting a feature request.

Feature availability and product trials

View pricing to see all GitLab tiers and features, or to upgrade.

Try GitLab for free with access to all features for 30 days.

Get help

If you didn't find what you were looking for, search the docs.

If you want help with something specific and could use community support, post on the GitLab forum.

For problems setting up or using this feature (depending on your GitLab subscription).

Request support