Contents

Password policy

Katy Harrison Updated by Katy Harrison

As the admin of an organisation, you're responsible for setting the password policy for users in your organisation. Setting the password policy can be complicated and confusing, and this article provides recommendations to make your organisation more secure against password attacks.

These recommendations are based on the best practice guidelines from the National Cyber Security Centre. The NCSC advises reducing reliance on passwords by use of Multi-Factor Authentication. See steps on how to turn on MFA for your organisation here.

The password policy for newly created organisations will have the recommended settings as below. Password policies can be adjusted by users with Customer admin permissions to include requiring numbers, mixed case and special characters in order to adhere to internal policies.

Click on each option to see more detail.

Minimum length: 14
This is the minimum number of characters a password must contain.
To encourage users to think about a unique password, we require a 14-character minimum length requirement. Encourage your users to use a randomly generated password, stored in a password manager. If they can't use a password generator and manager, they should use the 'three random words' method to come up with a stronger password.

Minimum lowercase: 0
This is the minimum number of lowercase characters a password must contain.
Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.

Minimum uppercase: 0
This is the minimum number of uppercase characters a password must contain.
Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.

Minimum numbers: 0
This is the minimum number of numerical characters a password must contain.
Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.

Minimum special characters: 0
This is the minimum number of special characters, such as @ & % $, a password must contain.
Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.

Password expiry: 0
This is the number of days a password is valid for once set. At the number of days specified, the password will expire and the user will have to set a new password on their next login. If set to 0, the password will not expire.
Password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them.

Password repetition restriction: 10
Password repetition restriction must be 10 or higher.

What happens when you change the password policy

Any changes made to the Organisation (including password policy, but also name changes for example), will require the minimum length and repetition restrictions to be set to at least the values above.

If the password policy is updated, users only need to update their password at the end of the password expiry period if set. If you want all users to update their passwords to adhere to the new policy, you can use the bulk edit functionality to force password reset on next login.

Password advice for your organisation

We've put together the top tips for keeping accounts secure that your users can implement. You can share this article with your organisation for further advice on keeping their account safe -

How did we do?

Advanced SSO and MFA FAQs for admins

Resetting passwords

Contact