By default, ProcessMaker passwords will never expire and they only need to contain a minimum of 5 characters which can be all lowercase letters. Many organizations, however, store very sensitive data in ProcessMaker and need to ensure that their passwords are not easily cracked.

In order ensure greater password security, define constants in the file /shared/sites/<WORKSPACE>/db.php, which will change the types of allowed passwords and their expiration date.

The db.php file for the default "workflow" workspace is generally found in Linux/UNIX at:


In Windows, before ProcessMaker version 1.6-4260, it is generally located at:

C:\Program Files\ProcessMaker\apps\processmaker\shared\workflow_data\sites\workflow\db.php

In Windows, ProcessMaker version 1.6-4260 and later, it is generally located at:

C:\Program Files\ProcessMaker\processmaker\shared\sites\workflow\db.php

Edit db.php using a plain text editor such as Notepad or Notepad++ in Windows or vim or gedit in Linux/UNIX.


By default the minimum password length is 5 characters. To set the minimum password length to 8 characters, add the line:

define('PPP_MINIMUM_LENGTH', 8);

By default the maximum password length is 32 characters

define('PPP_MAXIMUM_LENGTH', 32);

To require passwords to contain at least one numerical character, add the line:


To require passwords to contain at least one uppercase character, add the line:


To require that passwords contain at least one symbol character (such as @#$%*), add the line:


To force users to change their passwords periodically, set the numbers of days until the password will expire. For instance to require that users change their passwords every 90 days, then add the line:

define('PPP_EXPIRATION_IN', 90);

To force all users to change their password on the next login, add the line:

Note: The option to force users to change their passwords is no longer available if hotfix or later is installed. This option is now included inside the user's personal information.

To set maximum password attempts, add the line:

define('PPP_FAILED_LOGINS', 3);

Where 3 is the number of attempts before ProcessMaker will block the user

Login after Customizing Authentication

The next time users login after an one of the above authentication parameters has been changed, ProcessMaker will check if their passwords conform to the new configuration. If the current password does not conform, then after login, a dialog will appear asking for the user to enter a new password.

Enter a new password and then retype it a second time, then click on Save. At the next login, use the new password.

Adding Custom Code

If you would like to add custom PHP code to check passwords, edit the file <INSTALL-DIRECTORY>/workflow/engine/classes/model/UsersProperties.php

In Linux/UNIX, it can generally be found at:


In Windows, with ProcessMaker before version 1.6-4260, it can generally be found at:

C:\Program Files\ProcessMaker\apps\processmaker\htdocs\workflow\engine\classes\model\UsersProperties.php

In Windows, with ProcessMaker 4260 and later, it can generally be found at:

C:\Program Files\ProcessMaker\processmaker\workflow\engine\classes\model\UsersProperties.php

This file, however, may be over-written every time a new upgrade patch is applied to ProcessMaker, so be sure to make a backup copy of your custom code and reapply it after an upgrade.