You can use Haiilo's API to define a custom password complexity policy for local user accounts. By default, Haiilo's password policy requires passwords to be at least 6 characters long and include at least 1 number.

The change in complexity applies to new users logging in to Haiilo for the first time and to those changing or resetting their passwords. The change via the REST API has no effect on the Haiilo app.

To make calls to the Haiilo API, you need to authenticate first. You can find detailed information about authenticating and using the API here.

List current settings

1. Make a GET request to the endpoint /api/settings/public to get a list of all public settings

The response should look similar to the one below:

{
    "linkPattern": "<link pattern>",
    "emailPattern": "<email pattern>",
    "networkName": "<network name>",
    "phonePattern": "<phone pattern>",
    "jsLogThrottle": "<js log throttle>",
    "passwordPattern": "^(?=.*\\d).{6,}$"
}

Update password pattern

1. Copy the entire response body from the earlier call
2. Enter the entire copied response in the request body.

3. Make the desired changes to passwordPattern. The pattern must be written in RegEx following the rules in the table. You can view an example pattern below.

   Pattern characters	Rule
   ^	The password pattern should begin with the "start-of-line" anchor to prevent the pattern from being a "contains" match rather than a desired "matches exactly".
   The following are lookahead patterns that are useful to assert certain conditions. They should be placed one after the other at the beginning of the regex after the ^ anchor.
   (?=.*[a-z])	The password must contain at least one lower-case letter.
   (?=.*[A-Z])	The password must contain at least one upper-case letter.
   (?=.*[0-9])	The password must contain at least one number.
   (?=.*[!@#\\$%\\^&]	The password must contain at least one special character. Certain characters like backslash, brackets, and tilde must be escaped. Anchors in ranges may have special meaning and should be escaped.
   The following patterns should be placed after the lookahead patterns to define allowed characters for the whole password.
   .{8,}	Any characters allowed, at least 8 characters long.
   .{8,32}	Any characters allowed, at least 8 characters long, at most 32 characters long.
   [a-zA-Z0-9]+	Any ASCII letters and digits allowed, at least 1 character long.
   $	The password pattern should end with the "end-of-line" anchor to prevent the pattern from being a "contains" match rather than a desired "matches exactly".

4. Make a PUT request to the endpoint /api/settings

Example pattern

Below are two examples of password patterns written in regex.

Example 1:

^(?=.*[A-Z])(?=.*[!@#\\$%\\^&])(?=.*[0-9]).{10,}$

The pattern has the following complexity:

• At least 10 characters long
• Contains at least one special character (!\$%&#)
• Contains at least one number (0-9)
• Contains at least one uppercase letter 

Example 2:

^(?=.*[A-Z])(?=.*[!@#])[a-zA-Z0-9!@#&\\$]{16,}$

This pattern does not allow any characters but only a certain set, this set includes all characters from the lookahead patterns and two additional special characters that are optional.

• At least 16 characters long
• Contains at least one special character (!@#)
• Allows only letters (upper- and lowercase), digits, and special characters (!@#&$)

Need help assembling your regex pattern? AI tools can both help compose regexes and explain existing ones clearly. Additionally, sites like regex101.com allow you to test your regexes.