# Password Expiry

You can set up your Authgear project such that a user's password expires after a specific number of days. When a user logs in after the password expiry date, they'll see a prompt to change their password before they're redirected back to your app.

{% hint style="info" %}
By default, password expiry is turned **off** for your Authgear project. [Recent security research](https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry) shows that forcing users to change their passwords after some time can do more harm than good.
{% endhint %}

## Enable Password Expiry

Navigate to the password settings tab and scroll to the **Password Expiry** section. Toggle the "**Force password change on next login if it has expired"** button to enable password expiry.

<figure><img src="https://2638622528-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MAjXpMovvVxeIY33s_K%2Fuploads%2Fgit-blob-66f4155d74b9d2a078214b60b08f764145f23ac0%2FScreenshot%202025-08-05%20at%2014.58.11.png?alt=media" alt=""><figcaption></figcaption></figure>

## Set Expiry Date

You can use the field **Force change since last update (days)** to specify the number of days after which a user's password should expire.

For example, setting the value to 90 means the user's password will expire 90 days after the day they set or updated their password.

Once you're done, hit the **Save** button to keep your changes.