Amazon Cognito
Developer Guide

Configuring User Pool Password Policies

Password Policy

The following characters are allowed in passwords, regardless of the policy you set: uppercase and lowercase letters, numbers, and the special characters listed below.

You can specify the following password requirements in the AWS Management Console:

  • Minimum length, which must be at least 6 characters but fewer than 99 characters

  • Require numbers

  • Require special character, which includes the following set:

    ^ $ * . [ ] { } ( ) ? - " ! @ # % & / \ , > < ' : ; | _ ~ `

  • Require uppercase letters

  • Require lowercase letters


Specifying a minimum password length of at least 8 characters, as well as requiring uppercase, numeric, and special characters, increases password complexity for users in your user pool. The increased complexity helps protect users from the security risks of guessing attacks or common-pattern attacks. It is generally considered a best practice to require users to create strong passwords by using these options.

Admin Create User Policy

You can specify the following policies for Admin Create User:

  • Specify whether to allow users to sign themselves up. This option is set by default. If it is not set, only administrators can create users in this pool and calls to the SignUp API fail with NotAuthorizedException.

  • Specify the user account expiration time limit (in days) for new accounts. The default setting is 7 days, measured from the time when the user account is created. The maximum setting is 90 days. After the account expires, the user cannot log in to the account until the administrator updates the user's profile by updating an attribute or by resending the password to the user.


    Once the user has logged in, the account never expires.