diff --git a/README.org b/README.org
index da17537..1e49ac5 100644
--- a/README.org
+++ b/README.org
@@ -165,3 +165,37 @@ these values:
   They do not use any CPU or memory resources
 
 
+** login and password policy
+
+A charm have to manage different set of password. The best would be
+that the charm:
+
+- don't require user to choose password (less configuration)
+- will promote reasonable security practice.
+
+There are 2 types of password:
+- inter-service passwords (ie: database access password), these are
+  never used by human operator, and will be required to be known by
+  the charms to set things up.  These should be generated randomly
+  (although they could be set also via configuration if mentionned).
+  - they can only be changed by specific backend technical manipulation.
+
+- user service's admin password (ie: admin user of odoo, nextcloud)
+  - they can be changed through the service interface.
+  - this service interface is available to the public and the general users.
+  - charm doesn't need the password to set things up around the service.
+
+*** Inter-service passwords
+
+- Login should be defaulted to name of the service when possible
+- Should be defaulted to random values if not provided in configuration.
+- Should not be advertised even in the command line interface.
+- Should be reset-able anytime.
+
+*** Interactive admin user service's password
+
+- Login should be defaulted to 'admin'
+- Should be defaulted to random values, and not be configurable in configuration.
+- Should be advertised at the end of ~compose up~ along with URL of services as long
+  as the default value chosen by compose is still working.
+- Should not be advertised once it was changed by user.
\ No newline at end of file