LoginOS
← Decision Log
ADR-004 Accepted

Should password rules be harmonized?

Recommendation

Yes. Immediate priority.

Context

Accounts created at different points in Partenamut's history operate under different, undocumented password rules, causing confusing validation failures with no clear cause.

Options considered

  • Leave rules as-is

    Continue operating with inconsistent, legacy-dependent password requirements per account cohort.

  • Harmonize immediately

    Apply a single, modern password policy across every account, with real-time plain-language validation and breach-corpus checking.

  • Harmonize gradually at next password change

    Only apply the new policy when a member next changes their password, leaving legacy accounts on old rules indefinitely.

Rationale

Password inconsistency is the most immediate, lowest-effort fix available and underlies almost every other friction point in the [Partenamut case study](/case-studies/partenamut) — it requires no new integration, only a policy and validation-logic update. Gradual harmonization would leave the confusing experience in place for years.

Risks

  • Some members may need to reset a password that no longer meets the harmonized policy, requiring clear communication ahead of rollout.
  • Requires coordinated copy and validation updates across web and any legacy portal surfaces.