How to enforce strong passwords for all users in Matomo
Superusers can enforce strong password requirements to improve account security and reduce the risk of brute-force attacks. This can be manually enabled through an admin setting, which will prompt all users to meet industry-standard complexity rules when setting or updating their password. The setting is currently disabled by default.
When enabled, it only applies when a password is being set or updated. Existing passwords that do not meet the new rules will continue to work until changed by the user or superuser.
What counts as a strong password?
Matomo considers a password to be strong if it meets all of the following rules. During password entry, users will receive instant feedback showing which rules are satisfied and which rules must still be met.
- At least 12 characters long.
- Includes at least one uppercase letter (A–Z).
- Includes at least one lowercase letter (a–z).
- Includes at least one number (0–9).
- Includes at least one special character (e.g. !@#$%^&*).
Enable setting for strong password enforcement
- Log in as a superuser.
- Go to Matomo settings (Administration)
> System > General Settings > Login. - Scroll to the setting, Force strong passwords to be used and select the checkbox to enable it.
- Save your changes.
Once enabled, Matomo will enforce password complexity checks across all areas where users can create or update passwords:
- Matomo settings (Administration) > Personal > Security – Set and change password.
- Matomo settings (Administration) > System > Users – Change password.
- Forgot Password – Reset password.
- Invite User – Set new password.
- Activity Log – Password reset actions.
Enforcing strong passwords helps protect user accounts from brute-force attacks and significantly reduces the risk of unauthorised access to your Matomo instance.